Password security - Another idea
Steven M. Bellovin
smb at ulysses.homer.nj.att.com
Tue Jan 3 12:51:55 AEST 1989
In article <2803 at cbnews.ATT.COM>, res at cbnews.ATT.COM (Robert E. Stampfli) writes:
> Can anyone think of a good reason why either of the following should not be
> done on systems that employ a shadow password file:
>
> 1. Provide a program which returns the encrypted version of the password
> for the uid (or euid) that invokes it.
I see no reason to make this available; provide a server which checks
for a match instead.
> 2. Provide a program, similar to "passwd", which modifies the encrypted
> password in the /etc/passwd file, like the original version of the
> passwd command did.
>
> Both if these, it would seem to me, would be useful in writing things like
> terminal lock programs (case 1),
terminal lock programs are a great way for me to break into your account.
> or programs that run set-uid to one account
> to allow users the ability to do something with files owned by that account,
> provided they possess the "public" password (case 2).
in which case I may just crack on your ``public'' password. Besides,
if I need that I can implement my own file which will be private as well,
and even allow me to have different ``public passwords'' for different
users. I don't see the benefit of a system-level version. And if your
setuid program that lets me ``do something'' to your files isn't good
enough....
More information about the Comp.unix.wizards
mailing list