Re: crypt function mode

[Martin <inkubus interalpha co uk>]

<snip>
> >> I think enabling shadow passwds(using pwconv) and MD5 hashes
> >> (etc/sysconfig/authconfig) would be enough as the first step.
> > Shadow passwords and using the MD5 based version of crypt are both
> good
> > ideas and an improvement - whether they will be enough rather
> depends on
> > your security policy.
> >
> [Pavan] I consider this change as my first step. I have to enable
> symmetrically encrypted passwords (which can be decrypted and use for
> other purposes)
Such as?  Passwords should only be used for authentication.  Reusing the
same token for something else increases the risk of them being
compromised.  Keeping passwords hashed is sufficient to perform
authentication and acts as an extra layer of defense should the password
file / database be compromised.

>  which are used on all the interfaces (telnet, ssh,
> ftp,..) for authentication.
This is what PAM is for.

> I am trying to figure out, if this can be achieved easily using
> pam_unix module. I will investigate this further and let you know my
> findings.
It can't.  It wasn't designed to do that.  It was designed to use hashes
rather than reversible encryption for a good reason.

Cheers,
 - Martin