Gentoo Archives: gentoo-security

From: "Richard M. Conlan" <gentoo@××××××××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] PAM/passwd? and hash tables
Date: Wed, 16 Nov 2005 02:25:32
Message-Id: 437A9602.8030703@embracetherandom.com
In Reply to: Re: [gentoo-security] PAM/passwd? and hash tables by Stuart Howard
1 But many vulnerabilities are information disclosure in nature and can
2 allow for the capture of the shadow file without also allowing for the
3 creation of a root session. That is part of *why* password cracking, and
4 hence the hash tables, are a problem. This is the same argument that is
5 used to declaim the weakness of Windows passwords - because there is no
6 salt the hash table is small enough that people have claimed the ability
7 to brute-force the whole table in twelve seconds.
8
9 Also, if they can get to some lesser account they can try the hash table
10 against su or some such, unless you have accounts lock out after too
11 many bad passwords, etc.
12
13 Regards,
14
15 Richard M. Conlan
16
17 Stuart Howard wrote:
18 > Thanks for the replies
19 >
20 > I have done some further reading on the matter and seem to have come
21 > across a paradox of sorts.
22 > What got me intersted was that an article claiming that the hash
23 > tables may be used for "evil " purposes but it was pointed out to me
24 > that without the hash you have no comparison so what use is a hash
25 > table, indeed you would also have had to gain access to the
26 > /etc/shadow file to get the hash and since that requires root
27 > priviledge it would seem you allready have a larger problem than
28 > losing a password to clear text.
29 > Of course I am only thinking of a remote login via 22 as that is what
30 > primarily concerns me at the moment. So in short it seems I am safe
31 > with my system as it is for now.
32 >
33 > stu
34 >
35 > ps on a side note
36 > NBS DES
37 > National Bureau of Standards Data Encryption Standard
38 > http://www.garykessler.net/library/crypto.html#desmath
39 >
40 >
41 >
42 > On 15/11/05, stian@×××××.no <stian@×××××.no> wrote:
43 >
44 >>>Fields are separated by a semicolon. So in the first one you have the
45 >>>username, and in the second one there is the encrypted password but
46 >>>this field is again separated in three new fields by a $ sign. So the
47 >>>first one (1 in this case) is the encryption algorithm used (I'll have
48 >>
49 >>$1$ meens MD5 (with salt). glibc crypt() function also reflects this. If
50 >>the salt format doesn't match $1$xxxxxxx$ format, DES encryption is
51 >>assumed, which has a very weak salt.
52 >>
53 >>
54 >>Stian Skjelstad
55 >>--
56 >>gentoo-security@g.o mailing list
57 >>
58 >>
59 >
60 >
61 >
62 > --
63 > "There are 10 types of people in this world: those who understand
64 > binary, those who don't"
65 >
66 > --Unknown
67 >
68 --
69 gentoo-security@g.o mailing list