[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [newbie] Shasow passwords on rhl5.2
> Hi.
>
> I'm incharge my school's webserver (runnig rhl5.2).
> Lately a suggestion was maid to let students and teachers have accounts
> by request,
> in oreder to maintain their home pages,
> and "experience unix". :-)
>
> Anyway,
> for that matter i decided it's time to boost security up a notch,
> and starting with shadow passwords.
> I'm affraid many "cracker-wannabe's" will get the /etc/passwd file,
> and use a cracker to extract passwords out of it. (possibly root the
> server).
>
> So naturally i checked the shadow passwords howto.
> however it is outdated and assumes that distribusions does not come with
> shadow passwords.
> Redhat, however seems to have shadow, since a man page can be found (2
> of them actually).
Yes it comes with everything you need for this.
>
>
> so, my question is,
> how do i set shadow passwords on redhat?
> do i need to get shadow-utils, compile and install,
> or will it fuck up the existing shadow, and make a big mess?
> I want to do it smooth and clean.
Just log in as root at the console and type pwconv. This pull all your
password info from the /etc/passwd file and place it in /etc/shadow. The
/etc/shadow file will be read only by root so its contents are safe for as
long as your root password is secure. Also, now that you have converted to
shadow passwords you will have the ability to do other things like password
ageing.
While you are thinking about security, you should probably hit RH's site and
check the errata for 5.2. I know for sure they have some rpm's to update a
big ugly buffer overflow problem in the ftp server that ships with RH 5.2.
There probably are some other fixes. Nothing defeats your shadow password
scheme better than someone gaining root access through some sort of buffer
overflow (ughh!).
>
>
> another question is,
> should i bother?
> is it that easy to extract passwords out of /etc/passwd?
> (no dictionary words, gibrish password)
> from how i understood it /etc/passwd contains the "salt" and thus
> decryption of the password is rather easy.
> but is it a long process?
Just download the latest and greates version of crack from the net (I think
RH 5.2 ships with it) and run it against your /etc/passwd file. Some
sysadmins do this just to check their user's passwords. RH 5.2 uses PAM
(Pluggable Authentification Modules) and I believe by default it uses the
PAM crack module when changing passwords to ensure the users pick "good"
passwords.
>
>
> another question,
> is what other things should i do to secure the box?
> (which is basicly a rhl5.2 with 2.2.0 kernel)
> the students are pretty dumb (understatment) regarding unix, cracking,
> etc.
> (they think backorifice/netbus is hacking)
> but passwd crackers and security exploits can be found anywhere on warez
> sites, and such.
> do i need to worry?
>
Yeah, but probably not from your students. There are people out there who
would love to break into your system, if just to use it as a place to launch
an attack on another system. If you have a large amount of bandwidth (T1 or
greater) that's an even better target, as it offers more bandwidth to stage
a TCP SYN Flood attack. Unfortunately, too many people ignore:
V'Ahavta L'reicha Kamocha Ani ''
Shalom...james