[GLLUG] proftd and PAM

Melson, Paul PMelson@sequoianet.com
Mon, 29 Jul 2002 09:30:23 -0400

For all intents and purposes, this is no longer the case.  In older UNIX
systems, the DES hashes were stored in the /etc/passwd file and were
readable by any user on the system.  It used to be that any dunce with a
copy of Crack could download this file and run a brute-force attack
against it to identify passwords.

In most modern UNIX systems (Linux and BSD very much included), shadow
passwords are used.  The /etc/passwd file still contains the login,
default shell, home directory, and GECOS info for all of your users, but
the password hash is missing.  Instead, it's stored in a file (typically
/etc/shadow) that is only readable by root.  If you can't read the
hashes, you can't crack them.  If you're already root, you don't need to
crack them.

You can use PAM to enhance your password security in other ways, though.
You can use the pam_cracklib or pam_pwdb module to enforce password
standards and prevent users from choosing weak passwords.  PAM has lots
of other modules that can be used to increase user/login security.  And,
of course, if it's a larger environment (say, NDS or AD), you can use
PAM to authenticate your users to the directory via LDAP or RADIUS and
let the directory manage your password policies for your Linux systems
as well.


-----Original Message-----
From: Ex Fed [mailto:exfed@hotmail.com]
Sent: Monday, July 29, 2002 8:54 AM
To: linux-user@egr.msu.edu
Subject: [GLLUG] proftd and PAM

>From what I understand, given the contents of /etc/passwords, it is
for an individual to use this information, along with crypt and a
or a brute force attempt to figure out what are your passwords.

Does PAM provide us with greater security (does it still use
or shadow passwords, and is it easy to configure with most software that

supports it?


Chat with friends online, try MSN Messenger: http://messenger.msn.com

linux-user mailing list