[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: crypt function mode
- From: Thorsten Kukuk <kukuk suse de>
- To: pam-list redhat com
- Subject: Re: crypt function mode
- Date: Wed, 22 Apr 2009 07:40:42 +0200
On Wed, Apr 22, Sudarshan Soma wrote:
> On Wed, Apr 22, 2009 at 2:48 AM, Martin <inkubus interalpha co uk> wrote:
> > On Sun, 2009-04-19 at 12:00 -0400, pam-list-request redhat com wrote:
> >> >> Hi All,
> >> >> Can anyone please let me know what block ciphers mode( Electronic
> >> >> Codebook Mode (ECB) , Cipher Blockchaining Mode (CBC),..)
> >> >> does the crypt function used in pam_unix use.
> >> > It doesn't. These are for symmetric encryption, the crypt function
> >> uses
> >> > them as a one way hash (that why the later versions use MD5).
> >> >
> >> [Pavan] Thanks Martin. I was bit confused when it says that crypt uses
> >> modified form of DES algorithm
> >> (http://en.wikipedia.org/wiki/Crypt_(Unix)#Modifications_of_the_traditional_scheme).
> >>
> >> So these cipher modes are not applicable for storing/verifying
> >> passwords using crypt.
> > No - they are a tool for a different job.
> >
> >> My requirement is to make passwds more secure.
> > More secure against what? Security is not a linear variable. The
> > storage format of the password hashes is almost certainly not the
> > weakest link in the chain.
> >
> >> I think enabling shadow passwds(using pwconv) and MD5 hashes
> >> (etc/sysconfig/authconfig) would be enough as the first step.
> > Shadow passwords and using the MD5 based version of crypt are both good
> > ideas and an improvement - whether they will be enough rather depends on
> > your security policy.
> >
> [Pavan] I consider this change as my first step. I have to enable
> symmetrically encrypted passwords (which can be decrypted and use for
> other purposes) which are used on all the interfaces (telnet, ssh,
> ftp,..) for authentication.
> I am trying to figure out, if this can be achieved easily using
> pam_unix module. I will investigate this further and let you know my
> findings.
Code for symmetrically encrypted passwords don't exist, you have to
implement something at your own.
You need to look at the system crypt() function for this.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]