Re: crypt function mode

[Sudarshan Soma <sudarshan12s gmail com>]

On Wed, Apr 22, 2009 at 10:07 PM, Martin <inkubus interalpha co uk> wrote:
> <snip>
>> >> I think enabling shadow passwds(using pwconv) and MD5 hashes
>> >> (etc/sysconfig/authconfig) would be enough as the first step.
>> > Shadow passwords and using the MD5 based version of crypt are both
>> good
>> > ideas and an improvement - whether they will be enough rather
>> depends on
>> > your security policy.
>> >
>> [Pavan] I consider this change as my first step. I have to enable
>> symmetrically encrypted passwords (which can be decrypted and use for
>> other purposes)
> Such as?  Passwords should only be used for authentication.  Reusing the
> same token for something else increases the risk of them being
> compromised.  Keeping passwords hashed is sufficient to perform
> authentication and acts as an extra layer of defense should the password
> file / database be compromised.
>
[pavan] not sure but something like single-signon or communicating
with redundant systems,
>>  which are used on all the interfaces (telnet, ssh,
>> ftp,..) for authentication.
> This is what PAM is for.
>
>> I am trying to figure out, if this can be achieved easily using
>> pam_unix module. I will investigate this further and let you know my
>> findings.
> It can't.  It wasn't designed to do that.  It was designed to use hashes
> rather than reversible encryption for a good reason.
[Pavan] I will think more on this
>
> Cheers,
>  - Martin
>
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list
>