John A. Kinsella's [John.Kinsella at ul.ie] 35 lines of wisdom included:
> 2) Is my Linux passwd file really vulnerable to a password cracker
> (not a dictionary attack, but genuine decryption)? Presumably this doesn't
> matter if I use ssh?...
>
It depends what form of encryption your Linux passwd file uses, md5
is much harded to crack for example than DES. DES is the old UNIX
encryption standard, however Linux supports this form of password
encrpytion for compatibility with older systems.
SSH is nothing to do with the passwd file on your system, SSH
basically lessens the chance of people sniffing your network traffic
and finding out your password when you're sending it over the
network.
The way the normal login process works is that, you send your
username and password and they are then encrypted once they get to
the server, however in the inbetween, your password (if you are
using a protocol such as telnet) is sent in plaintext. If people are
watching/monitoring network traffic, your password can be seen.
If you're using a Linux machine, you should install the shadow
package, so that there are basically two password files
/etc/shadow and /etc/passwd ..
/etc/shadow is a file that contains the encrypted password and is
readable only by root, while, /etc/passwd is readable by everyone
and does not contain the password, merely an "x" where the password
field is, donating the password is shadowed.
Phil.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
