On Fri, Jul 12, 2002 at 09:32:29PM +0200, mja@skynet.be wrote:
By exploring the linux source code, can one find the algorithm to decode passwords in /etc/shadow or is it a one-way-algorithm?
It is a one-way algorithm - you can work out if a password you have matches the encrypted version, but you can't use the encrypted version to deduce the password. However, once you have the encrypted version, you can use brute force attack (try random attempts until you find one that works), maybe on another machine.
Is there a way of authenticating users via the network and not via the local machine?
Yes. NIS/NIS+ can be used for this.
And in that case, is it possible to authenticate root via the network (guess not since the startup process is done with the root permissions)?
Possibly. However, this is a *bad* idea - simply replace the machine that is providing the root authentication (just switch the network cable), and you can break into the box with ease. A better idea would be to distribute the root password between machines using ssh/scp, with suitable scripting.
And what about machines that must be able to work without a connection, like portables? Does this rescue-disk work with any version of linux or is it specific for a distribution/kernel-version?
Most rescue disks are distribution-independent - they just allow you to boot a basic Linux system, and mount the filesystems on disk - the ext2/ext3/ReiserFS filesystems are standard to Linux (or possibly even *nix), not just a distribution.
I guess you should do the maximum to prevent people from booting from any other medium than the hard disk and use different root password on each machine? I read somewhere that most security attacks come from within the organisation...
Yes. Disable floppy booting in the BIOS, and password-protect the BIOS. If possible, disconnect/remove the floppy drive. Set a LILO boot password. Prevent people from turning the machine off. Disable Ctrl-Alt-Del. Until you remove physical access to the machine, you will not be able to prevent access to the data on the disk - the user could just remove the HDD and plug it into another machine. Alternatively, you could use encrypted filesystems, although there may be a problem with putting /etc/passwd and/or /etc/shadow on an encrypted FS. -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England