[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [Mips] Are these Passwords Shadowed?

Subject: Re: [cobalt-users] [Mips] Are these Passwords Shadowed?
From: Colin Smith <colin@xxxxxxxxxxxxxxxxxxxx>
Date: Mon Dec 4 19:26:52 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sun, 3 Dec 2000, James Hoaggs wrote:

> Hi list,
> After reading BugTraq and finding someone clowned the S&P servers for
> not having shadowed passwords, I decided to look at a newly restored
> Qube2 from a newly ordered CD and hence ask 2 questions:
> 
> 1) Are these passwords shadowed?
> 
> root:9E8yTJJJJJfdW:0:0:Root:/root:/bin/sh <changed some for protection>
> admin:9E8yTJJJJJfdW:110:100:Administrator:/home/users/admin:/bin/bash
>  
> mitch:liOxtX5H2YOsW:112:100:mitch:/home/users/mitch:/bin/bash
> rex:Wn16.op40v16A:113:100:rex:/home/users/rex:/bin/bash
> joy:1FilpFx4DqBt.:114:100:joy:/home/users/joy:/bin/bash
> "passwd" [readonly] 30 lines, 1311 characters

Nope. They look like this if they are shadowed:

rex:x:113:100:rex:/home/users/rex:/bin/bash
joy:x:114:100:joy:/home/users/joy:/bin/bash

> 2) If not, how does one go to shadow them.  I can not find a /etc/shadow
> file, and the /etc/passwd has these permissions:
> 
> -rw-r--r--   1 root     root         1311 Dec  1 04:04 passwd

Those are the correct permissions for /etc/passwd. Not sure how to shadow
ith though. It's a fairly major OS modification. Maybe the latest security
updates do it.

> which means all users can read the file, disputing a claim made earlier

Yup, all users *must* be able to read /etc/passwd for the OS to function.

> by Geoff Baysinger <lists@xxxxxxxxxxxxxx> stating that there is "/etc/shadow
> in the Qube2". Not here buddy, off a 2 month old CD.

The CD may just be a base install on to which you should apply all the
security patches.

> >From the archives, it looks like ol' Franklin S. Werren has also asked
> with no answers :
> >I have the 2 Shadow RPM's off the Cobalt site installed and I did >shadow
> my passwords for a few mins... but I was unable to telnet in, >But I
> was able to use the GUI and re-enter my passwords... here is my >observations....
> >Shadow does work on the passwd file, You can get access via the GUI
> >but you loose telnet access, You re-enter the password in the GUI, you
> >loose your shadow password and regain telnet access.
> >Here are my questions....How do you keep the GUI from not adding un->shadow
> passwords when you add a user? How do you fix the ability to >use shadow

That'll be whatever password update routines the web GUI uses. I haven't
looked at it but it's just Perl so should be fairly simple to follow.

> passwords and telnet?

Should be in the /etc/pam.d/* files. You can define exactly how you want
each service to authenticate.

> If I can't find any solutions here I might just go with the newly released
> OpenBSD 2.8 http://www.openbsd.org/announce28.html, which hasn't had
> a root exploit for 3 years on a default install, and make the qube just
> a mail server that I can assume is a joke and never secure enough to
> put any real data on. If it gets hacked & fubared I can install netBSD
> on it, http://www.netbsd.org/Ports/cobalt/, or worse case senerio, use
> it as a decorative candy bowl at the Holiday party <jk>.

It might be worth not just relying on default installs for security.
Security is far more complex than that. It must be constantly reviewed,
checked and updated.

> Cheers,

regards,
Colin Smith

References:
- [cobalt-users] [Mips] Are these Passwords Shadowed?
  - From: James Hoaggs

Prev by Date: Re: [cobalt-users] [Qube2] ipfwadm deny port 113
Next by Date: Re: [cobalt-users] locking out IP's
Previous by thread: Re: [cobalt-users] [Mips] Are these Passwords Shadowed?
Next by thread: Re: [cobalt-users] [Mips] Are these Passwords Shadowed?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index