LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2004, 03:47 AM   #1
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Rep: Reputation: 30
Encrypted Passwords, how could I tell?


I am using MDK 9.1 and I would like to know how could I tell if my login and my root passwords are encrypted or not? Where could I go and see and how could I tell?

And also, how could I use cryptography like in OpenBSD?
 
Old 10-01-2004, 05:43 AM   #2
320mb
Senior Member
 
Registered: Nov 2002
Location: pikes peak
Distribution: Slackware, LFS
Posts: 2,577

Rep: Reputation: 47
Re: Encrypted Passwords, how could I tell?

Quote:
Originally posted by wardialer
I am using MDK 9.1 and I would like to know how could I tell if my login and my root passwords are encrypted or not? Where could I go and see and how could I tell?
look to see if you have /etc/shadow file??

or from command line :
Code:
pwconv
does this command give any errors???
 
Old 10-01-2004, 09:58 AM   #3
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I went to KONSOLE or terminal and typed in 'pwconv' and no errors were given.

And yes, I do have the /etc/shadow.
 
Old 10-01-2004, 11:24 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Look at the format of /etc/passwd
Code:
unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
See the * (asterisk) in the second column? That means the hashed password is in shadow.

Passwords really aren't encrypted, they're hashed. This means (roughly) that a pattern of the password is generated, but that there's no possible way to convert that pattern back to the original password; however, if you later run the same pattern algorithm on a password that the user types in, you can compare that pattern to the password pattern and see if they match.

None of that covers whether your password is protected when you're trying to authenticate, though. Depending on how you're logging in (Telnet, SSH, to get e-mail with POP3, etc) your password may or may not be protected. In that case it doesn't matter at all if your password on the disk is hashed and placed in /etc/shadow, if you use an insecure login protocol, then your password is exposed.

And as a small note, most Linux distributions use MD5 hashing for the password. Some security researchers have recently found flaws in MD5 that allows for some collisions to be generated. While this does not mean that you could use a hash to generate the correct password, there are now quicker ways to match the password by brute-force.

On the other hand, most of the BSD family use Blowfish to hash their passwords and there haven't been any weaknesses yet found with Blowfish.
 
Old 10-02-2004, 10:06 AM   #5
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Here is the /etc/passwd/ file:

Most of them are like this including the root and username, look below:


Code:
:X:0:0  or  :X: 501:501

What could I do to make this Passwd more secure if its not already secure?

Last edited by wardialer; 10-02-2004 at 10:14 AM.
 
Old 10-02-2004, 02:42 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Really the only thing to make it more secure is to use passwords at least 8 characters long. With methods other than Crypt() (DES) passwords longer than 8 characters actually get stronger (DES only hashed up to 8 characters, so anything beyond that was pointless). You could also switch from MD5 to Blowfish for your password hashing, but that would require resetting the password for everyone since there's no way to convert it.
 
Old 10-03-2004, 08:12 AM   #7
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
/me gets scared

how would that switching of the password hashing thing go with most distros?
 
Old 10-03-2004, 09:09 AM   #8
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Quote:
You could also switch from MD5 to Blowfish for your password hashing, but that would require resetting the password for everyone since there's no way to convert it.
How would I do that?

Quote:
"Resetting the password for everyone"
Well, I am the only one who uses the computer. Thats it. And plus its a standalone with no webserver services running either. So how would I convert this passwd file to use Blowfish (BSD-like)??? But the bottom line is, the passwd file that was given above, is that encrypted??
I want to covert this to Blowfish. How?

Please explain the directions please.
 
Old 10-03-2004, 04:16 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
First, passwords are not encrypted, they're hashed. It's different because hashing is not reversable while encryption is (with the key). Second, you don't encrypt the password files, you store hashed passwords in them. Third, you don't want the password hashes in /etc/password because that allows them to be brute-forced off-line! Hashed passwords go in /etc/shadow (or /etc/master.passwd, depending on the OS). Fourth, I'm not aware of any Linux distros that allow you to use Blowfish as the native password hashing scheme, so you would have to find a PAM plug-in for that.
 
Old 10-03-2004, 04:57 PM   #10
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
oooowe, so your saying you don't know of a way to get pam to switch to the blowfisyies password hashing thingy?

owell (starts a search on google)
 
Old 10-04-2004, 01:43 AM   #11
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I stumbled onto this online Plain text password to Blowfish encryption conversion. I think I will do that is to convert my existing login password to Blowfish using that online thing.

http://webnet77.com/cgi-bin/helpers/crypthelp.pl
 
Old 10-05-2004, 12:08 AM   #12
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It doesn't do any good to convert your passwords to Blowfish hashing if your login mechanism doesn't support it (which Linux does not do, native). Also, I would strongly recommend against using someone's on-line tool to hash passwords. Think about it, they could easily keep a log of every plain text password and what IP made the connection to their site. It would be a simple matter to scan each IP for remote login services and try each password that was entered in the conversion site.
 
Old 10-05-2004, 06:35 AM   #13
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
The Openwall project has bcrypt and pam_tcb module packages available to add to other distros. Check out the links below:

http://www.openwall.com/crypt/

http://www.openwall.com/tcb/

Enjoy!
--- Cerbere
 
Old 10-12-2004, 02:14 PM   #14
guitarman85281
Member
 
Registered: Aug 2004
Location: Tempe, Arizona
Distribution: RedHat 9, SuSE 9.1, Fedora Core 4, Gentoo
Posts: 52

Rep: Reputation: 15
Greetings
RH (9 at least) and SuSE 9 and up support Blowfish for encryption. Not by default, but it's still supported. I don't have definitive knowledge on any other distros so I don't want to comment on what I'm not sure of.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Qmail - Encrypted Passwords chrisfirestar Linux - Networking 9 06-25-2013 02:11 AM
Encrypted passwords on Cisco 2500 siawash Linux - Networking 5 08-10-2005 05:38 PM
.htaccess not accepting encrypted passwords. Braytac Linux - Distributions 1 04-28-2005 12:55 AM
Moving encrypted passwords to a new host paulsm4 Linux - Software 1 09-17-2004 01:40 AM
creating encrypted passwords kidwired Linux - Security 3 01-12-2003 04:34 PM


All times are GMT -5. The time now is 04:53 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration