Password security - Another idea
Mark A. Heilpern
heilpern at ibd.BRL.MIL
Fri Jan 6 23:29:13 AEST 1989
In article <2629 at ficc.uu.net> peter at ficc.uu.net (Peter da Silva) writes:
>Because open passwords let users write utility programs that verify who you
>are. If the password file is hidden, you need to provide a password
>verification server.
1) Why must "normal" users implement this function? Surely, in the case of
a Shadow password file, a setuid-to-root program will have the needed
access, no?
2) Assuming a shadow password file boosts security to the Nth degree,
the getuid() call should be verification enough. Additionally, if
there is no increase in security, the password will have been breeched,
and the fraudulent user will already know the password.
2a) Unless the real user just walks away from a logged in terminal, but
that is another issue.
--
|\/| |
| | _ |<
/ \_(_(_)\_/ \______
More information about the Comp.unix.wizards
mailing list