From owner-freebsd-questions@FreeBSD.ORG Thu Dec 18 04:21:44 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AB9416A4CF for ; Thu, 18 Dec 2003 04:21:44 -0800 (PST) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19AD543D1F for ; Thu, 18 Dec 2003 04:21:41 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hBICL0TA018850 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Dec 2003 12:21:36 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hBICL0pa018849; Thu, 18 Dec 2003 12:21:00 GMT (envelope-from matthew) Date: Thu, 18 Dec 2003 12:21:00 +0000 From: Matthew Seaman To: Rhys John Message-ID: <20031218122100.GA18531@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Rhys John , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ReaqsoxgOBHFXBhH" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: master.passwd -- securing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2003 12:21:44 -0000 --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 18, 2003 at 11:28:36AM +0000, Rhys John wrote: > Ive been playing with "vipw" trying to change passwords into "*" for a=20 > slightly higher level of security but ran into some very big problems. Fr= om=20 > reading through the FreeBSD handbook it seemed all i had to do was replac= e=20 > the encrypted password with *, which is what i did. I thought it seemed a= =20 > bit odd but continued anyway. Foolishly (although i was quite tired) i di= d=20 > this to both my user account and root. So they both had * as their passwo= rd=20 > and looked the same as every other entry in the file. I saved it and "vip= w"=20 > updated the database so i thought all was well and logged off to check...= =20 > big mistake! The net result of this was not good, i couldnt access my use= r=20 > account or root :( Anyway i had to cut the power to my PC since i couldnt= =20 > shut it down because i was locked out. After that i went into single user= =20 > mode and changed the passwords back and its working now but i cant hide t= he=20 > passwords. So i guess after all this rambling my question is how to i=20 > secure the password file? How do i change from the encrypted password to = *=20 > without screwing over my system? Any help would by much appreciated You can't do that. You need the password hash in /etc/master.passwd if you want people to be able to log in via the console. You should have at least the root account and your own user account in the local /etc/master.passwd file with valid passwords, or you can find yourself in a whole heap of trouble when things go wrong. There are some circumstances in which you can remove some password hashes from the master.passwd file, however these are unlikely to be relevant to home users. If you're using a network-wide user database -- either NIS or LDAP -- then it can supply password hashes from it's own database. (Note that this is probably less secure than a local passwd file in terms of preventing unauthorized access to the password DB). You can also take the password hashes out for users that only have access to the system by ssh(1) -- in that case you can use ssh-keys to authenticate the user -- and I think you can do similar things with a fully Kerberized setup. However, you still need local accounts you can guarrantee to log into directly on each machine, as any of those other services may fail to work. Having password hashes in the /etc/master.passwd file is not a huge security risk. So long as you make sure that /etc/master.passwd is readable only by root (which is the default), and that no-one can steal the file (which boils down to making sure no-one can steal your backup tapes and making sure that you keep up to date with security advisories. Remember that there will be extra copies of master.passwd in /var/backups/ which need an equal level of protection) or if anyone does get hold of the master.passwd file that they can't decode the password hashes (which means using MD5 rather than DES password hashes, and making sure that users choose passwords which aren't easy to guess). Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/4ZusdtESqEQa7a0RAtY8AJ9niXLK9wMdrxosBgZJSCMEqu0VcACeOhsv qlRrGtc20uVXjV51yO7sVdI= =U7/n -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH--