On 09/02/2013 09:12 PM, Bill Oliver wrote: > > So, I was watching a TV show the other day where it was one of those > things where the good guy tries to break into the bad guy's computer > and, because of his great investigative skills, guesses that the > password is a word a book from the bad guy's favorite author. But, > first, the good guy tried a couple of other obvious guesses -- the name > of the bad guy's boat, etc. > > My wife turned to me and said, "If I were the bad guy, I'd just have the > computer delete everything if someone entered the boat name, or at least > send me a text. The boat was an obvious guess, and I would never > accidentally type it in." > > My answer was "That makes sense, but I have no clue about how to do it." > > Now I can't get the idea out of my head. Worse, I've realized that I > don't know, at a process level, what happens when one types in a > password. Yes, I know about /etc/password and /etc/shadow files, and I > know about encryption. But I don't know step by step in terms of what > processes do what when a password is entered. > > So: > > 1) What happens at a process level when one hits return after typing in > a password? Is everything handled by the kernel? Where is this described? Only the hash of the password is stored in '/etc/shadow', and the hash algorithms are one way functions. So you cannot 'decrypt' the hash to get the original password. When the password is entered at the login terminal, by default the 'pam_unix.so' PAM module is called, which hashes the given password using the same hash algorithm used for the stored password, and compares the resultant hash with the stored hash. If it matches, the user is authenticated. Since hash values would be the same for a given string across all systems, when the same hash function is used, salted hash is used by default for passwords, to make it not too obvious. > > 2) Is it possible to script different responses to different (incorrect) > passwords? > > Theoretically, you could have this done, by using a PAM module designed for this, to be run before the 'pam_unix.so' module, in '/etc/pam.d/login' for terminal login, or for more wider use, in '/etc/pam.d/system-auth'. > Thanks, > > billo > -- Regards, Rejy M Cyriac (rmc) -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
