Re: crypt function mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, Apr 22, 2009 at 10:07 PM, Martin <inkubus@xxxxxxxxxxxxxxxx> wrote:
> <snip>
>> >> I think enabling shadow passwds(using pwconv) and MD5 hashes
>> >> (etc/sysconfig/authconfig) would be enough as the first step.
>> > Shadow passwords and using the MD5 based version of crypt are both
>> good
>> > ideas and an improvement - whether they will be enough rather
>> depends on
>> > your security policy.
>> >
>> [Pavan] I consider this change as my first step. I have to enable
>> symmetrically encrypted passwords (which can be decrypted and use for
>> other purposes)
> Such as?  Passwords should only be used for authentication.  Reusing the
> same token for something else increases the risk of them being
> compromised.  Keeping passwords hashed is sufficient to perform
> authentication and acts as an extra layer of defense should the password
> file / database be compromised.
[pavan] not sure but something like single-signon or communicating
with redundant systems,
>>  which are used on all the interfaces (telnet, ssh,
>> ftp,..) for authentication.
> This is what PAM is for.
>> I am trying to figure out, if this can be achieved easily using
>> pam_unix module. I will investigate this further and let you know my
>> findings.
> It can't.  It wasn't designed to do that.  It was designed to use hashes
> rather than reversible encryption for a good reason.
[Pavan] I will think more on this
> Cheers,
>  - Martin
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux