Subject: Re: [netatalk-admins] ~/.passwd
From: PayPC System Mail Subscriber (spammail@quanta.paypc.com)
Date: Fri Mar 05 1999 - 03:45:09 EST
Alex Yu said in Re: [netatalk-admins] ~/.passwd at 05/Mar/1999 (Fri) 13:19:11.
> I just found out that atalk uses its own passwd for rand2num (2-way encryed
> password). I would like to know how can I use /etc/passwd | shadow as my
> main passwd? Many users do not want to use 2 different passwds or to
> change passwd twice if they need to. Because security issue, I have to
> disable ssh/telnet for local users, so I want to be able to let them to
> change their passwd throug AppleTalk and it will auto update the main
> /etc/passwd | shadow. Please help!
Alex, because the etc/shadow password is a salted one-way hash done with an
algorithm very different from Appleshare's, there's no way for the
2way-randnum method to check against the /etc/shadow passwords.
So therefore, you must have a "look-aside" password (the samba folks have to
do this also to support encrypted logins from NT systems)... Adrian's method
is OK... however I *****STRONGLY***** advise the following:
*FORCE* all of your users to keep DIFFERENT passwords in their .passwd from
their normal UNIX one. At the moment, my userbase is intelligent [no
management or salesdroids yet] so I don't need to police them, however, it
would be easy to write a passwd (UNIX-side) filter that would check ~/.passwd
and disallow passwords that match their Appleshare ones.
This is prudent because of this in-the-clear password... even IF that file
were compromised, all the person could do is login via AppleTalk... if your
network is like mine, I use TCP Wrappers *and* firewalls to disallow all but
LOCAL network logins for Appleshare and SAMBA services.... so an outsider to
my net gets NOTHING if he discovers the .passwd file's contents. They have
to be on a MACINTOSH that's within my local network to do any mischief at
all, and even then, it's going to be limited to just what they can get at via
netatalk.
So because of all of the above, I find the .passwd cleartext issue to be an
acceptable solution. There *IS* one bad thing about it, though. It allows
"evil" superusers to be able to silently harvest passwords [yes, they have
unfettered access to everything, *but* they might be able to use those
passwords on other systems where they may NOT be superusers or even allowed
access at all]... since I'm the sole BOFH on my net, this is not a worry [I
don't do it]... but in larger and more politically infested organisations,
this might be.
Of course, in the end security becomes more an issue of POLICIES more than
technology in the long run.... requiring each major service to have unique
passwords for your users is the best way to contain security breaches.
Nothing is worse than the Happy-Happy NT model where one password opens up a
world of access.
=Rob=
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:16:24 EST