> On Wed, Apr 22, 2009 at 10:07 PM, Martin <inkubus@xxxxxxxxxxxxxxxx> wrote: > > <snip> > >> >> I think enabling shadow passwds(using pwconv) and MD5 hashes > >> >> (etc/sysconfig/authconfig) would be enough as the first step. > >> > Shadow passwords and using the MD5 based version of crypt are both > >> good > >> > ideas and an improvement - whether they will be enough rather > >> depends on > >> > your security policy. > >> > > >> [Pavan] I consider this change as my first step. I have to enable > >> symmetrically encrypted passwords (which can be decrypted and use for > >> other purposes) > > Such as? Passwords should only be used for authentication. Reusing the > > same token for something else increases the risk of them being > > compromised. Keeping passwords hashed is sufficient to perform > > authentication and acts as an extra layer of defense should the password > > file / database be compromised. > > > [pavan] not sure but something like single-signon This is authentication. You can do this via PAM or things like kerberos. Personally I like the pam_ssh approach. Effectively you want the password to grant some kind of temporary authorisation token and then use this for subsequent authorisations. > or communicating with redundant systems, Probably best done at system level (invisibly to users) or using something like single sign on, SSH keys, etc. What problem are you trying to solve? If you're doing this for fun / as a learning exercise then there are, IMHO, more useful things that could be done with PAM / authentication / crypto. Cheers, - Martin _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
