Gentoo Archives: gentoo-security

From: Stuart Howard <stuart.g.howard@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] PAM/passwd? and hash tables
Date: Tue, 15 Nov 2005 20:00:48
In Reply to: Re: [gentoo-security] PAM/passwd? and hash tables by
Thanks for the replies

I have done some further reading on the matter and seem to have come
across a paradox of sorts.
What got me intersted was that an article claiming that the hash
tables may be used for "evil " purposes but it was pointed out to me
that without the hash you have no comparison so what use is a hash
table, indeed you would also have had to gain access to the
/etc/shadow file to get the hash and since that requires root
priviledge it would seem you allready have a larger problem than
losing a password to clear text.
Of course I am only thinking of a remote login via 22 as that is what
primarily concerns me at the moment. So in short it seems I am safe
with my system as it is for now.


ps on a side note
National Bureau of Standards Data Encryption Standard

On 15/11/05, stian@×××××.no <stian@×××××.no> wrote:
> > Fields are separated by a semicolon. So in the first one you have the > > username, and in the second one there is the encrypted password but > > this field is again separated in three new fields by a $ sign. So the > > first one (1 in this case) is the encryption algorithm used (I'll have > > $1$ meens MD5 (with salt). glibc crypt() function also reflects this. If > the salt format doesn't match $1$xxxxxxx$ format, DES encryption is > assumed, which has a very weak salt. > > > Stian Skjelstad > -- > gentoo-security@g.o mailing list > >
-- "There are 10 types of people in this world: those who understand binary, those who don't" --Unknown -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] PAM/passwd? and hash tables "Richard M. Conlan" <gentoo@××××××××××××××××.com>