TODO + Changelog

Thomas 'Balu' Walter tw at
Tue Aug 1 15:04:24 PDT 2000

+-Avery Fay-(afay at[01.08.00 22:19]:
> > +-Avery Fay-(afay at[28.07.00 04:31]:
> > [shadowed-password-system]
> > > However, I don't think it is needed.
> >
> > Hell no. Shadow password should be standard on _all_ unix-systems. If
> > you ever were owned by a hacker you will think this over - really...
> >
> > Shadow-passwords are not _the_ anti-hacker-"tool", but they help make
> > the system a little more secure.
> Well, I'm about to get DSL and set up a firewall that only allow incoming
> connections through port 443 (ssh).

The problem is not the secure connection, but the people with accounts
_on_ your server...

> So... I'm really not to worried about
> the lack of shadow passwords on my machine. Anyway, I think it's more secure
> to not let anyone get onto your machine in the first place rather than
> having to hide passwords in a different file. 

Of course - but many people need to have accounts for other people on
their machine (I just imagine my little brother trying to get my
data... ;)

> Also, shadow passwords won't
> do a thing for programs like most versions of telnet and ftp that send
> passwords in the clear.

Of course not - thats what scp, ssh or SPOP (securepop) are for...

If your machine got any remote exploit that makes it possible
for a hacker to login (and not getting root, because your programs don't
run suid root) he would be able to steal your password very easily...
And do you use different passwords for all your accounts?

Even if LFS is not meant to be a secure system - I think it is a must
for a Linuxie to know about and use shadow-passwords...

Mail archive:
IRC access: server: port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)

More information about the lfs-dev mailing list