Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-30-2006, 06:01 AM
|
#1
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
wvdial dosn't use encrypted password - how come?
I've noticed that the ISP login password is unencrypted in wvdial.conf (password=).
OK - only root can read this - however, what is the point of this being a shadow password if other applications will have it easily readable (albeit by root)?
Is it possible to get wvdial to use an encrypted password?
|
|
|
04-30-2006, 07:13 AM
|
#2
|
Member
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536
Rep:
|
Quote:
OK - only root can read this - however, what is the point of this being a shadow password if other applications will have it easily readable (albeit by root)?
|
Well, don't give the root password to untrused people, I don't see what the problem is here. Many programs store passwords in clear text (getmail etc). There is no real security problem here, anyone who can read the file has root access, so has control of the machine anyway. Also, not sure what you mean by "shadow password"? It's a wvdial specific password. This has nothing to do with the shadow passwords used by the system (/etc/shadow).
Quote:
Is it possible to get wvdial to use an encrypted password?
|
Dunno, read the documentation. Even if it can, this will provide you with little security (more importantly it may give you a false sense of security, which is worse than no security at all). If the password is encrypted, wvdial will need some way to deencrypt it (assuming your ISP requires the password in plain text, which it probably does), so anyone who can read wvdial.conf could easily use a modified wvdial to reveal the password.
Last edited by ioerror; 04-30-2006 at 07:16 AM.
|
|
|
04-30-2006, 09:26 PM
|
#3
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Original Poster
Rep:
|
Quote:
Originally Posted by ioerror
Dunno, read the documentation.
|
Yes... thank you for that. If you do not know, please don't reply. OTOH: if you can point me to documentation which covers this - please do so. (the man pages, and the wvdial project page, do not.)
Please read: http://geodsoft.com/howto/password/password_basics.htm
... this should fill you in on the finer points of the use of encrypted and shadow passwords.
... encrypted passwords are more secure than unencrypted passwords. Shadow passwords are more secure yet. But it seems to be a bit pointless going to all the trouble of enabling shadow passwords if common applications will routinely have important passwords in plain text.
Root access can be obtained by anyone with physical access to the machine. Shadow passwords are not. Someone can erase the shadow password - true - but that won't help when it comes to a password for an external service like an ISP account.
Last edited by Simon Bridge; 04-30-2006 at 09:37 PM.
|
|
|
05-01-2006, 04:06 AM
|
#4
|
Member
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536
Rep:
|
Quote:
Yes... thank you for that. If you do not know, please don't reply.
|
Excuse me !? This is a public forum, I'll reply to whatever I want. If you want a definitive answer then employ a consultant.
I am fully aquainted with the concepts of shadow passwords, thanks. But you are under a misaprehension, "shadow passwords" refer to the system passwords. They have nothing to do with the password in apps such as wvdial. Apparently you didn't read the rest of my post, so I'll repeat it:
Quote:
Even if it can, this will provide you with little security (more importantly it may give you a false sense of security, which is worse than no security at all). If the password is encrypted, wvdial will need some way to deencrypt it (assuming your ISP requires the password in plain text, which it probably does), so anyone who can read wvdial.conf could easily use a modified wvdial to reveal the password.
|
If wvdial had an encrypted password, this would provide no security whatsoever. wvdial would have to be able to deencrypt the password, and anyone who gained root access to your box would be able modify the source to crack your precious password. Keep your box secure and your passwords will be secure (at least, as secure as they can be).
EDIT:
This is an extract from the FAQ for fetchmail:
Quote:
Password encryption in .fetchmailrc
The reason there's no facility to store passwords encrypted in the .fetchmailrc file is because this doesn't actually add protection.
Anyone who's acquired the 0600 permissions needed to read your .fetchmailrc file will be able to run fetchmail as you anyway -- and if it's your password they're after, they'd be able to rip the necessary decoder out of the fetchmail code itself to get it.
All .fetchmailrc encryption would do is give a false sense of security to people who don't think very hard.
|
Last edited by ioerror; 05-01-2006 at 04:46 AM.
|
|
|
05-01-2006, 08:57 AM
|
#5
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Original Poster
Rep:
|
Ah - now - that is better.
Thanks.
|
|
|
05-02-2006, 04:31 AM
|
#6
|
Member
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536
Rep:
|
The crucial difference between system shadow passwords and wvdial/fetchmail etc is that the encrypted password in /etc/shadow is never decoded back to plain text. Since your ISP wants a plain text password, wvdial would have to decode it before sending, hence the problems mentioned in the fetchmail FAQ. Even if your ISP could accept an encrypted password, this would make no difference. Then, you'd just be sending your encrypted password, which is no different to sending it in plain text, since anyone who can read your wvdial.conf can see the encrypted password and simply send that.
Last edited by ioerror; 05-02-2006 at 05:45 AM.
|
|
|
05-02-2006, 05:01 AM
|
#7
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Original Poster
Rep:
|
Yeah - this is an egg--->face situation. probably the 2am effect coupled with the bullhorns of Jamesons downed to cut the phlegm that night. That's my excuse and I'm sticking to it.
To get that wvdial password outathere I need the password=ask option that SUSE added. Then when wvdial receives a password request, I gotta type it in.
Even if the ISP used public/private key encryption - so I send an encrypted password - wvdial would have to have the hash in the password= line anyway ... it dosn't matter that nobody knows the password because it is the hash that counts.
Pass the whiskey.
|
|
|
All times are GMT -5. The time now is 10:10 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|