On Wed, Apr 22, Sudarshan Soma wrote: > On Wed, Apr 22, 2009 at 2:48 AM, Martin <inkubus@xxxxxxxxxxxxxxxx> wrote: > > On Sun, 2009-04-19 at 12:00 -0400, pam-list-request@xxxxxxxxxx wrote: > >> >> Hi All, > >> >> Can anyone please let me know what block ciphers mode( Electronic > >> >> Codebook Mode (ECB) , Cipher Blockchaining Mode (CBC),..) > >> >> does the crypt function used in pam_unix use. > >> > It doesn't. These are for symmetric encryption, the crypt function > >> uses > >> > them as a one way hash (that why the later versions use MD5). > >> > > >> [Pavan] Thanks Martin. I was bit confused when it says that crypt uses > >> modified form of DES algorithm > >> (http://en.wikipedia.org/wiki/Crypt_(Unix)#Modifications_of_the_traditional_scheme). > >> > >> So these cipher modes are not applicable for storing/verifying > >> passwords using crypt. > > No - they are a tool for a different job. > > > >> My requirement is to make passwds more secure. > > More secure against what? Security is not a linear variable. The > > storage format of the password hashes is almost certainly not the > > weakest link in the chain. > > > >> I think enabling shadow passwds(using pwconv) and MD5 hashes > >> (etc/sysconfig/authconfig) would be enough as the first step. > > Shadow passwords and using the MD5 based version of crypt are both good > > ideas and an improvement - whether they will be enough rather depends on > > your security policy. > > > [Pavan] I consider this change as my first step. I have to enable > symmetrically encrypted passwords (which can be decrypted and use for > other purposes) which are used on all the interfaces (telnet, ssh, > ftp,..) for authentication. > I am trying to figure out, if this can be achieved easily using > pam_unix module. I will investigate this further and let you know my > findings. Code for symmetrically encrypted passwords don't exist, you have to implement something at your own. You need to look at the system crypt() function for this. Thorsten -- Thorsten Kukuk, Project Manager/Release Manager SLES SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
