From: tim@leaphome.pelican.org (Tim Franklin)
Hi Jonathan,
Jonathan Hunter  wrote:
:  TF> If your password file has passwords in, or at least if /etc/passwd[0]
:  TF> has passwords in, you're making a fundamental security mistake.  Get
:  TF> some form of shadow passwords installed *ASAP*.  The file that
:  TF> actually contains the encrypted passwords should not be readable by
:  TF> anyone other than root.
: I think you misunderstood my point. If you finger a host, you do not get a 
list
: of all the valid users on the system! It is most unlikely, especially in a 
BBS
: environment, for all users to be logged on at once...
I know that.  I'm referring more to your point that "any user with a shell
account can grab a copy of the password file, and get a complete list of 
user".
I'm saying that if your machine has decent security, this really shouldn't be
a problem.  There's so many other places that you can get valid user names
from anyway - finger will give you some at any one time, scan for news 
postings
from your host, check web pages for 'mailto:' links etc.
: That is why I wanted to protect my list of users (/etc/passwd) as much as
: possible. Having valid passwords in that file is not the point I was 
making. I
: was trying to say that if somebody knew a valid *username* then they were 
half
: way there.
Far from half-way there, IMHO, unless they also have the encrypted version of
the password.  Brute-force attacks are preventable simply by having long
recovery periods from invalid passwords, and keeping an eye on your security
log.  If it takes ten seconds from entering a bad password to receiving a new
login prompt, and each 'failed login' gets syslogged to somewhere you read, 
the
chances are you should spot a hacking attempt and tcp-wrap the offending box
out long before they have any chance to crack the password.
This relies on you to run 'crack' over the real (shadow) password file 
yourself
every once in a while to make sure none of your users have trivial passwords.
: I do have shadow passwords - I reluctantly switched over from NIS after I 
found
: that NIS was taking up much too much CPU time, crashing my PC every so 
often by
: eating up all available memory, etc etc.
NIS is the proof that not *everything* that comes out of Sun labs is 
worthwhile.
You have been spared from a great evil.  :)
Just rdist /etc/passwd and /etc/shadow if you want distributed passwords...
Regards,
Tim.
--- FIDOGATE 4.2.9
---------------