On Wed, Apr 22, 2009 at 10:07 PM, Martin <inkubus@xxxxxxxxxxxxxxxx> wrote: > <snip> >> >> I think enabling shadow passwds(using pwconv) and MD5 hashes >> >> (etc/sysconfig/authconfig) would be enough as the first step. >> > Shadow passwords and using the MD5 based version of crypt are both >> good >> > ideas and an improvement - whether they will be enough rather >> depends on >> > your security policy. >> > >> [Pavan] I consider this change as my first step. I have to enable >> symmetrically encrypted passwords (which can be decrypted and use for >> other purposes) > Such as? Passwords should only be used for authentication. Reusing the > same token for something else increases the risk of them being > compromised. Keeping passwords hashed is sufficient to perform > authentication and acts as an extra layer of defense should the password > file / database be compromised. > [pavan] not sure but something like single-signon or communicating with redundant systems, >> which are used on all the interfaces (telnet, ssh, >> ftp,..) for authentication. > This is what PAM is for. > >> I am trying to figure out, if this can be achieved easily using >> pam_unix module. I will investigate this further and let you know my >> findings. > It can't. It wasn't designed to do that. It was designed to use hashes > rather than reversible encryption for a good reason. [Pavan] I will think more on this > > Cheers, > - Martin > > > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
