SUMMARY: password protection

From: Slezak L. P. (
Date: Thu Jul 20 1995 - 00:46:08 CDT

The problem:

> I have been charged with implementing the concept of
> a "shadow" password file for all our workstations.
> Our current setup:
> 1) We rely exclusively on NIS.
> 2) We run both SunOS 4.1.[3|4] and Solaris 2.4
> 3) Our current NIS master is a SunOS 4.1.3 box.
> 4) We have a smattering of AIX, HPUX and IRIX machines.
> Our needs:
> - To make the passwords inaccessible to a crack program - ie.
> any publicly readable password files
> must not contain passwords and
> any networked password files - ( read NIS passwd
> database) must not contain the passwords.
> Commercial and/or shareware/freeware solutions would be
> greatly appreciated. I could use any help as I do not know
> where to begin.

The answer to the question:

  There wasn't a very satisfactory (easy/cheap/doable)
  answer given.

  For Suns, it was suggested running C2 security on a 4.1.x machine and
  then serving out NIS.

  An alternative was running NIS+.

  Noone suggested a plan for all the platforms or would say that they
  had something working across all platforms.

  If I get the resources, I may try NIS+ across all the platforms to
  see if this works. (When all the OS's support NIS+).

Other Issues:


        We are well aware of the capability to sniff passwords off our
        network. Making the password unreachable via a shadow
        password file will not solve this
        problem. As was pointed out, passwords - encrypted or not -
        will travel the wire, can be captured and read or cracked.

        This person suggested something like SecureId. We already
        use this in a limited capacity for selected machines.
        We are scheming on implementing
        this, but I don't know if it will go anywhere.


        " That is of limited use; if someone is running a password sniffer
        an your subnet you are screwed even WITH shadow passwords (as the
        passwords go by on the network they are sniffer and emailed [or
        otherwise sent] to the cracker elsewhere. Note that Suns, as
        factory configured, are really EXCELLENT password sniffers).

         What you really want is something like skey or SecureID which
        implement "1 time passwords"; passwords that can be used only once.
        Skey is non-commercial from AT&T and you can get source for free
        (A fully open similar scheme is being worked on). The downside is
        you need a portable PC to generate the passwords (or carry a slip
        of paper with the passwords). SecureID is slicker; you carry a credit-card
        sized doohicky that generates the 1 time passwords. It costs money."


        Use crack to break the passwords - get people to change their
        password based on cracks results.
  Passwd+ or npasswd:

        Programs that force people to choose good passwords.
        The last time I checked, they didn't support NIS or NIS+.
        I may reinvestigate.

  Use something like Kerberos to encrypt the traffic:

Final Thoughts:

  As far as I can tell, something like SecureID is the only 100% solution.
  Perhaps, Kerberos is also, but I have no experience with it.

  Crack, passwd+, NIS+ .... may reduce the exposure, but they do not
  eliminate it.

  In its primitive form, this is basically risk management and one
  has to decide how much to pay, in money and time, for how much

  Yes, I am 1/2 slovak but do not speak slovak.

  My return address only gets propagated incorrectly through this
  mailing list (as far as I can tell ). I think it has
  something to do with parentheses in the gecos field.

  Thanks to all those who responded, and have a great day.


If I left you out, it was by mistake.


Paul Slezak
Union Pacific Resources (817)-877-6061
P.O. Box 7 M.S. 2806 FAX: (817)-877-6598
Fort Worth, TX 76101

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:29 CDT