LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-07-2010, 07:51 AM   #1
Fredde87
Member
 
Registered: Aug 2005
Posts: 158

Rep: Reputation: 30
MD5 password exposed


Hi,

I noticed that our /etc/shadow file is readable on a patch I released for one of our in house linux boxes a while back ago.

If someone was cleaver enough and managed to see it, could they use it to gain access the root account etc? Our passwords are all MD5 encrypted.


Thanks!
 
Old 06-07-2010, 08:46 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

Yes, it is possible to de-hash the passwords in /etc/shadow . There are programs (John the Ripper being the most-used on Unix) which can use dictionary and brute-force attacks against the hashes, and will eventually hit the right password.

I would change the permissions if I were you.

Dave
 
1 members found this post helpful.
Old 06-07-2010, 10:18 AM   #3
Fredde87
Member
 
Registered: Aug 2005
Posts: 158

Original Poster
Rep: Reputation: 30
Hi there,

Sorry, should have been a bit clearer. With exceptions of brutal force, database lookups etc, is there a way the user could use the encrypted password and send it to a ssh server for example? The password the user types in is encrypted with MD5 before sent to the ssh server isn't it? So a user could modify a SSH client potentially to send me string to the ssh server to get in as root?


Best Regards

Fredrik
 
Old 06-07-2010, 10:24 AM   #4
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

SSH encrypts the whole stream and the password is passed down that encrypted channel, but it's not MD5 that's used (MD5 isn't an encryption algorithm, it's just a hash). The password (along with everything else) is decrypted by the SSH server before being used - most Linuxen use PAM to process authentication, so the password's passed to PAM in plaintext to be compared with the hash in /etc/shadow.

So no, having the MD5 hash on it's own won't let anyone in.

Dave
 
1 members found this post helpful.
Old 06-07-2010, 10:56 AM   #5
Fredde87
Member
 
Registered: Aug 2005
Posts: 158

Original Poster
Rep: Reputation: 30
Thanks for clarifiying that!
 
Old 06-08-2010, 06:22 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Nevertheless, I'll second the recommendation that you 1) fix the permissions on /etc/shadow; 2) consider changing root's password very soon.

With today's computing power (even on affordable workstations), someone with the salt + MD5 hash can realistically discover your password.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MD5 Encrypted Password gjagadish Linux - Security 1 09-28-2007 04:39 AM
MD5 and password encryption SlowCoder Linux - Security 2 07-22-2007 09:08 AM
Password Encryption After MD5 Deprecation ombill Fedora 1 08-22-2005 06:16 PM
MD5 password encrytion metallica1973 Linux - Security 9 07-20-2005 11:50 AM
local user name and password exposed hagen00 Linux - Security 3 05-17-2005 11:57 AM


All times are GMT -5. The time now is 03:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration