[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Checking user password

Subject: Re: [cobalt-users] Checking user password
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed Dec 5 22:12:01 2001
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Roy A. Urick" <roy.urick@xxxxxxxxxxxxxxxx> wrote:
> You missed my point. Yes, with cracking tools, its possible. I am talking
> about the casual meanderings of your typical bored, nosey, lazy admin, and
> using encrypted passwords.

You're not implying that the typical server admin is bored, lazy, etc. are
you?  Not a nice thing to say on a list with a high percentage of server
admins.  :0  Passwords, encrypted or otherwise, do not impede a server admin
from accessing any files on the server.  If you feel otherwise, please
elaborate.

> My point in all this is the systems are designed so admins cant just
> casually look up a PW in a plain text file

If you're saying that due to the encrypted password format server admins
can't view the passwords I agree.  If you're saying preventing server admins
from viewing plain text passwords is a primary reason operating systems such
as *nix use encrypted passwords I disagree.

> and start snooping.

Again, I disagree.  A server admin can access any file on the server.  Can
you give a scenario where encrypted passwords prevent a server admin from
snooping?  Sure, it prevents a server admin from using the user's password
to access other systems (computer and otherwise) that the user might use the
same password on, but outside of that I'm not sure what you're referring to.

> they gotta
> WANT to get in and look (and work a little at it).

Want, yes; work, no.

> Also, bear in mind I
> include such environments as Novell and M$ in my scenarios.

Granted, but this thread was about the RaQ3/4.  It shouldn't make a
difference, unless server admins working on those systems are less
trustworthy.  Ah, maybe those are the typical admins you described earlier.
;-)

> As for changing the password and then replacing it to be undetected, once
> again that assumes they took the time to crack it.

No, it does not.  You can test yourself.  The entire process takes less than
a minute.

1. Login to the shell as admin.
2. su - root
3. cp -p /etc/shadow /root/shadow
4. passwd myuser (then change user's password)
5. su - myuser
6. You are now that user.  Do whatever you want.
7. exit (you're now root again)
8. pico -w /etc/shadow (replace myuser's encrypted password with the old
version in /root/shadow)

> As a buddy of mine says... "Locks are only here to keep honest people
> honest, not to keep bad people out"

True, but in this case we're referring to the business owner with a master
key.  And the layer of security in place makes it more difficult for the
disgruntled employees and customers from getting in the boss' office.  :-)

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- Re: [cobalt-users] Checking user password
  - From: Roy A. Urick

References:
- [cobalt-users] Checking user password
  - From: Kham Vue
- Re: [cobalt-users] Checking user password
  - From: Roy A. Urick
- Re: [cobalt-users] Checking user password
  - From: Steve Werby
- Re: [cobalt-users] Checking user password
  - From: Roy A. Urick

Prev by Date: Re: [cobalt-users] Checking user password
Next by Date: [cobalt-users] Sendmail won't startup after reboot.
Previous by thread: Re: [cobalt-users] Checking user password
Next by thread: Re: [cobalt-users] Checking user password

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index