RE: master.passwd -- securing
Why do you want to do this? master.passwd already is inherantly secure. The /etc/passwd file is what's used by most programs, and master.passwd only for login purposes. You have to have the password stored somewhere or there can be no authentication, unless you go with some sort of hardware credential. Eric F Crist President AdTech Integrated Systems, Inc (612) 998-3588 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rhys John Sent: Thursday, December 18, 2003 5:44 AM To: [EMAIL PROTECTED] Subject: Re: master.passwd -- securing Both accounts are now active but i would like to remove the encrypted password from master.passwd and replace it with a *. Is this possible with "vipw"? Thanks for your reply hugle >From: hugle <[EMAIL PROTECTED]> >Reply-To: hugle <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: master.passwd -- securing >Date: Thu, 18 Dec 2003 03:39:18 -0800 > >RJ> Ive been playing with "vipw" trying to change passwords into "*" >RJ> for a slightly higher level of security but ran into some very big >RJ> problems. >From >RJ> reading through the FreeBSD handbook it seemed all i had to do was >replace >RJ> the encrypted password with *, which is what i did. I thought it >RJ> seemed >a >RJ> bit odd but continued anyway. Foolishly (although i was quite >RJ> tired) i >did >RJ> this to both my user account and root. So they both had * as their >password >RJ> and looked the same as every other entry in the file. I saved it >RJ> and >"vipw" >RJ> updated the database so i thought all was well and logged off to >check... >RJ> big mistake! The net result of this was not good, i couldnt access >RJ> my >user >RJ> account or root :( Anyway i had to cut the power to my PC since i >couldnt >RJ> shut it down because i was locked out. After that i went into >RJ> single >user >RJ> mode and changed the passwords back and its working now but i cant >RJ> hide >the >RJ> passwords. So i guess after all this rambling my question is how to >RJ> i >secure >RJ> the password file? How do i change from the encrypted password to * >without >RJ> screwing over my system? Any help would by much appreciated > >try doing that: >#Forget your root pw? >1. Reboot. when you see the "boot" prompt, type boot -s and hit enter >2. run this command: fsck -p / && mount -u / 3. use the `passwd` >command to set a password for root 4. reboot, done > >hope that helps.. > > >___ >[EMAIL PROTECTED] mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"[EMAIL PROTECTED]" _ Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: master.passwd -- securing
- Original Message - From: "Rhys John" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 18, 2003 5:44 AM Subject: Re: master.passwd -- securing > Both accounts are now active but i would like to remove the encrypted > password from master.passwd and replace it with a *. Is this possible with > "vipw"? > > Thanks for your reply hugle In normal stand alone operation, no. It's not possible at all. There has to be a password hash local to the machine. Now, if you're configured to use another method of password storage as has been previously mentioned, that's a different story. Although, best practice would be to have at least one user account in wheel, and the root user with a valid login password. If you're worried about someone viewing the master.passwd file and obtaining the hash, don't. Only root, by default, can touch that file. If you have someone that has breeched the system to the point they're able to open that file, then the problem of them viewing the password hash is quite moot. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: master.passwd -- securing
On Thu, 18 Dec 2003 11:44:14 + "Rhys John" <[EMAIL PROTECTED]> probably wrote: > Both accounts are now active but i would like to remove the encrypted > password from master.passwd and replace it with a *. Is this possible with > "vipw"? > It doesn't matter what you use for editing your password files (at least for this point). If you have a `*' in your master.passwd, that means that direct console logins for that user are disabled. If you are so much embarassed about root having a password, you may use sudo (from ports) and allow a certain user to "sudo sh" to gain root priveleges, for instance. He (you as a user) will then have to enter his own password, not root's. This way, you exchange a cracker's job of cracking your root password for a job of cracking your user password, so it's not much more secure:). > Thanks for your reply hugle > > >From: hugle <[EMAIL PROTECTED]> > >Reply-To: hugle <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Re: master.passwd -- securing > >Date: Thu, 18 Dec 2003 03:39:18 -0800 > > > >RJ> Ive been playing with "vipw" trying to change passwords into "*" for a > >RJ> slightly higher level of security but ran into some very big problems. > >RJ> From reading through the FreeBSD handbook it seemed all i had to do was replace > >RJ> the encrypted password with *, which is what i did. I thought it seemed > >RJ> bit odd but continued anyway. Foolishly (although i was quite tired) i did > >RJ> this to both my user account and root. So they both had * as their password > >RJ> and looked the same as every other entry in the file. I saved it and "vipw" > >RJ> updated the database so i thought all was well and logged off to check... > >RJ> big mistake! The net result of this was not good, i couldnt access my user > >RJ> account or root :( Anyway i had to cut the power to my PC since i couldnt > >RJ> shut it down because i was locked out. After that i went into single user > >RJ> mode and changed the passwords back and its working now but i cant hide the > >RJ> passwords. So i guess after all this rambling my question is how to i secure > >RJ> the password file? How do i change from the encrypted password to * without > >RJ> screwing over my system? Any help would by much appreciated > >try doing that: > >#Forget your root pw? > >1. Reboot. when you see the "boot" prompt, type boot -s and hit enter > >2. run this command: fsck -p / && mount -u / > >3. use the `passwd` command to set a password for root > >4. reboot, done > > > >hope that helps.. > > > > > >___ > >[EMAIL PROTECTED] mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >To unsubscribe, send any mail to > >"[EMAIL PROTECTED]" > > _ > Find a cheaper internet access deal - choose one to suit you. > http://www.msn.co.uk/internetaccess > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- DoubleF Violence is the last refuge of the incompetent. -- Salvor Hardin pgp0.pgp Description: PGP signature
Re: master.passwd -- securing
On Thu, Dec 18, 2003 at 11:28:36AM +, Rhys John wrote: > Ive been playing with "vipw" trying to change passwords into "*" for a > slightly higher level of security but ran into some very big problems. From > reading through the FreeBSD handbook it seemed all i had to do was replace > the encrypted password with *, which is what i did. I thought it seemed a > bit odd but continued anyway. Foolishly (although i was quite tired) i did > this to both my user account and root. So they both had * as their password > and looked the same as every other entry in the file. I saved it and "vipw" > updated the database so i thought all was well and logged off to check... > big mistake! The net result of this was not good, i couldnt access my user > account or root :( Anyway i had to cut the power to my PC since i couldnt > shut it down because i was locked out. After that i went into single user > mode and changed the passwords back and its working now but i cant hide the > passwords. So i guess after all this rambling my question is how to i > secure the password file? How do i change from the encrypted password to * > without screwing over my system? Any help would by much appreciated You can't do that. You need the password hash in /etc/master.passwd if you want people to be able to log in via the console. You should have at least the root account and your own user account in the local /etc/master.passwd file with valid passwords, or you can find yourself in a whole heap of trouble when things go wrong. There are some circumstances in which you can remove some password hashes from the master.passwd file, however these are unlikely to be relevant to home users. If you're using a network-wide user database -- either NIS or LDAP -- then it can supply password hashes from it's own database. (Note that this is probably less secure than a local passwd file in terms of preventing unauthorized access to the password DB). You can also take the password hashes out for users that only have access to the system by ssh(1) -- in that case you can use ssh-keys to authenticate the user -- and I think you can do similar things with a fully Kerberized setup. However, you still need local accounts you can guarrantee to log into directly on each machine, as any of those other services may fail to work. Having password hashes in the /etc/master.passwd file is not a huge security risk. So long as you make sure that /etc/master.passwd is readable only by root (which is the default), and that no-one can steal the file (which boils down to making sure no-one can steal your backup tapes and making sure that you keep up to date with security advisories. Remember that there will be extra copies of master.passwd in /var/backups/ which need an equal level of protection) or if anyone does get hold of the master.passwd file that they can't decode the password hashes (which means using MD5 rather than DES password hashes, and making sure that users choose passwords which aren't easy to guess). Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: master.passwd -- securing
Both accounts are now active but i would like to remove the encrypted password from master.passwd and replace it with a *. Is this possible with "vipw"? Thanks for your reply hugle From: hugle <[EMAIL PROTECTED]> Reply-To: hugle <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: master.passwd -- securing Date: Thu, 18 Dec 2003 03:39:18 -0800 RJ> Ive been playing with "vipw" trying to change passwords into "*" for a RJ> slightly higher level of security but ran into some very big problems. From RJ> reading through the FreeBSD handbook it seemed all i had to do was replace RJ> the encrypted password with *, which is what i did. I thought it seemed a RJ> bit odd but continued anyway. Foolishly (although i was quite tired) i did RJ> this to both my user account and root. So they both had * as their password RJ> and looked the same as every other entry in the file. I saved it and "vipw" RJ> updated the database so i thought all was well and logged off to check... RJ> big mistake! The net result of this was not good, i couldnt access my user RJ> account or root :( Anyway i had to cut the power to my PC since i couldnt RJ> shut it down because i was locked out. After that i went into single user RJ> mode and changed the passwords back and its working now but i cant hide the RJ> passwords. So i guess after all this rambling my question is how to i secure RJ> the password file? How do i change from the encrypted password to * without RJ> screwing over my system? Any help would by much appreciated try doing that: #Forget your root pw? 1. Reboot. when you see the "boot" prompt, type boot -s and hit enter 2. run this command: fsck -p / && mount -u / 3. use the `passwd` command to set a password for root 4. reboot, done hope that helps.. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _ Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: master.passwd -- securing
RJ> Ive been playing with "vipw" trying to change passwords into "*" for a RJ> slightly higher level of security but ran into some very big problems. From RJ> reading through the FreeBSD handbook it seemed all i had to do was replace RJ> the encrypted password with *, which is what i did. I thought it seemed a RJ> bit odd but continued anyway. Foolishly (although i was quite tired) i did RJ> this to both my user account and root. So they both had * as their password RJ> and looked the same as every other entry in the file. I saved it and "vipw" RJ> updated the database so i thought all was well and logged off to check... RJ> big mistake! The net result of this was not good, i couldnt access my user RJ> account or root :( Anyway i had to cut the power to my PC since i couldnt RJ> shut it down because i was locked out. After that i went into single user RJ> mode and changed the passwords back and its working now but i cant hide the RJ> passwords. So i guess after all this rambling my question is how to i secure RJ> the password file? How do i change from the encrypted password to * without RJ> screwing over my system? Any help would by much appreciated try doing that: #Forget your root pw? 1. Reboot. when you see the "boot" prompt, type boot -s and hit enter 2. run this command: fsck -p / && mount -u / 3. use the `passwd` command to set a password for root 4. reboot, done hope that helps.. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
master.passwd -- securing
Ive been playing with "vipw" trying to change passwords into "*" for a slightly higher level of security but ran into some very big problems. From reading through the FreeBSD handbook it seemed all i had to do was replace the encrypted password with *, which is what i did. I thought it seemed a bit odd but continued anyway. Foolishly (although i was quite tired) i did this to both my user account and root. So they both had * as their password and looked the same as every other entry in the file. I saved it and "vipw" updated the database so i thought all was well and logged off to check... big mistake! The net result of this was not good, i couldnt access my user account or root :( Anyway i had to cut the power to my PC since i couldnt shut it down because i was locked out. After that i went into single user mode and changed the passwords back and its working now but i cant hide the passwords. So i guess after all this rambling my question is how to i secure the password file? How do i change from the encrypted password to * without screwing over my system? Any help would by much appreciated - BiZKiT _ Express yourself with cool emoticons - download MSN Messenger today! http://www.msn.co.uk/messenger ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"