TODO + Changelog

Avery Fay afay at ultranet.com
Tue Aug 1 16:53:46 PDT 2000


> The problem is not the secure connection, but the people with accounts
> _on_ your server...

Yes, shadow passwords do make a machine that has multiple users more secure.

> If your machine got any remote exploit that makes it possible
> for a hacker to login (and not getting root, because your programs don't
> run suid root) he would be able to steal your password very easily...

There are alternatives to shadow passwords though. For example, make the
passwd program very strict about what passwords people can choose (ie
atleast 1 number, atleast 1 non-alpanumeric symbol, atleast 8 characters).
Then, even if someone does gain access to the passwd file, they can't really
get very far without incredibly powerful computers to hash random passwords
and test them against the passwd file.

Anyway, I understand your point. Shadow passwords have their place on
servers because most users will pick bad passwords (in the dictionary) and
will complain if you force them to choose good passwords.

Avery Fay






--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list