Summary: Password Security Question

From: Constantin Moldovan (cmoldovan@gt.ca)
Date: Fri Nov 24 2000 - 07:13:01 CST


I've got 2 replies that were very useful.
Many thanks to Darren Dunham and Matthew Stier.

My original post:
================

 Hi List,
  
 Environment: Sun Solaris 7 using NIS
  
 On the passwd file for NIS (not on the local passwd file, here all entries
 have x in the password field)
 there are some entries which have an * instead of x in the password field
 like:
 telalert:*:1207:1207:TelAlert Paging on nnm & eftia:/tmp:/bin/true
 mailadmin:*:1301:1302:Mail Admin Mail Account:/tmp:/bin/true
 reporter:*:1303:110:SQL Reporter on DB:/usr/local/reporter:/bin/csh
  
 These entries do not have an equivalent on the shadow file.
  
 They are used for applications only, no real person is using them to login.
  
 What does * mean and why they do not use x in the password field?
 Is this a security breach?

Here are the replies:

From: Darren Dunham [mailto:ddunham@taos.com]
=============================================

* is simply an "invalid" password, so no one can log in to the account
directly.

x is simply a token that means 'go look in shadow'.

> Should we replace the * with an x?

Only if you create a shadow entry and put a '*' in the password slot.

Remember, the only reason for the separate shadow file is so that normal
users can't see the users' password hash. Since this user's password
hash is '*', there's nothing to decrypt. There is no vulnerable
password.

-- 
Darren Dunham                                           ddunham@taos.com
Unix System Administrator                    Taos - The SysAdmin Company
Got some Dr Pepper?                           San Francisco, CA bay area
      < Please move on, ...nothing to see here,  please disperse >

From: Matthew Stier [mailto:Matthew.Stier@fnc.fujitsu.com] ==========================================================

It doesn't matter.

A encoded password entry will ALWAYS be 13 characters.

Since a blank password entry means the account has no password, a value has to be put into it. Since a valid encoded password is always 13 characters, putting any non-13 character string in the password field will result in a non-matchable string, and thus a locked account.

The asterisk character is typically used, since the encoding algorithm will not encode one. I actually any character, or string of characters that cannot be the result of encoding any password will work.

Since the facility I work at is small, we do not reuse accountnames or userids. To lock accounts, we use string of two asterisk, the date encoded as an 8 character string, and two more asterisks.

mstier:**20001123**:1234:1234:....

Thank you all, Constantin Moldovan

GT Group Telecom S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N sun-managers@sunmanagers.ececs.uc.edu A To unsubscribe from this list please send an email message to: G majordomo@sunmanagers.ececs.uc.edu E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:23 CDT