Re: Password file from Clifton Royston on 1999-07-06 (squid-users)

From: Clifton Royston <cliftonr@dont-contact.us>
Date: Tue, 6 Jul 1999 10:27:52 -1000 (HST)

Kunal H. Parikh writes:
> Hi !
>
> The moment I start using /etc/passwd, it'll start giving users access to
> POP / telnet / FTP facilities on the server.
>
> And extra smart people would try hacking and stuff !!!
[...]
> On Thu, 1 Jul 1999, Steven Fletcher wrote:
> > On Thu, 1 Jul 1999 18:42:58 +0530 (IST), you wrote:
> >
> > >I am using /etc/password to authenticate users on my system.
> > >
> > >This is a major security risk.
> >
> > Why? /etc/master.password and the spwd.db are the ones that need
> > worrying about, and they can't be read by normal users anyway.

IMHO when people write about "using /etc/password", usually that either
means their system doesn't implement shadow passwords, or it's a
shorthand for "using /etc/password together with the standard system
calls to authenticate user passwords against the shadow password
database." (Otherwise, they're not authenticating via passwords at
all...)

> > Please explain why it's a security risk in your opinion.

It's not the same level of vulnerability as exposing an encrypted
password file to crack attempts, but still significant:

Web servers don't normally provide rate-limiting code on password
attempts, unlike telnet/ssh/FTP logins. This allows impersonation of a
browser to hammer on the web server via brute-force and (e.g.) try out
all 3-letter passwords for a set of known usernames. (This is bad if
successful, and still an effective denial-of-service if unsuccessful.)

Another issue is that using the main user password file makes the
break-in more valuable. If it gives access not only to the web proxy,
but to FTP/telnet/etc. then a cracked password is more valuable to a
cracker as providing a temporary warez trading point, a less-traceable
staging ground for attacks on other systems, a foothold inside a
network firewall, etc. By reducing the payoff for success, you make
break-in attempts much less likely.

In general, it's better to use a totally separate set of passwords for
web-based authentication, just in principle.

HTH

> > try the Kerberos/YP domain auth systems instead.

Kerberos is good.

-- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
        "An absolute monarch would be absolutely wise and good.  
           But no man is strong enough to have no interest.  
             Therefore the best king would be Pure Chance.  
              It is Pure Chance that rules the Universe; 
          therefore, and only therefore, life is good." - AC

Received on Tue Jul 06 1999 - 14:15:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:18 MST