master.passwd -- securing

Thu Dec 18 04:21:44 PST 2003

On Thu, Dec 18, 2003 at 11:28:36AM +0000, Rhys John wrote:
> Ive been playing with "vipw" trying to change passwords into "*" for a 
> slightly higher level of security but ran into some very big problems. From 
> reading through the FreeBSD handbook it seemed all i had to do was replace 
> the encrypted password with *, which is what i did. I thought it seemed a 
> bit odd but continued anyway. Foolishly (although i was quite tired) i did 
> this to both my user account and root. So they both had * as their password 
> and looked the same as every other entry in the file. I saved it and "vipw" 
> updated the database so i thought all was well and logged off to check... 
> big mistake! The net result of this was not good, i couldnt access my user 
> account or root :( Anyway i had to cut the power to my PC since i couldnt 
> shut it down because i was locked out. After that i went into single user 
> mode and changed the passwords back and its working now but i cant hide the 
> passwords. So i guess after all this rambling my question is how to i 
> secure the password file? How do i change from the encrypted password to * 
> without screwing over my system? Any help would by much appreciated

You can't do that.  You need the password hash in /etc/master.passwd
if you want people to be able to log in via the console.  You should
have at least the root account and your own user account in the local
/etc/master.passwd file with valid passwords, or you can find yourself
in a whole heap of trouble when things go wrong.

There are some circumstances in which you can remove some password
hashes from the master.passwd file, however these are unlikely to be
relevant to home users. If you're using a network-wide user database
-- either NIS or LDAP -- then it can supply password hashes from it's
own database. (Note that this is probably less secure than a local
passwd file in terms of preventing unauthorized access to the password
DB).  You can also take the password hashes out for users that only
have access to the system by ssh(1) -- in that case you can use
ssh-keys to authenticate the user -- and I think you can do similar
things with a fully Kerberized setup.  However, you still need local
accounts you can guarrantee to log into directly on each machine, as
any of those other services may fail to work.

Having password hashes in the /etc/master.passwd file is not a huge
security risk.  So long as you make sure that /etc/master.passwd is
readable only by root (which is the default), and that no-one can
steal the file (which boils down to making sure no-one can steal your
backup tapes and making sure that you keep up to date with security
advisories.  Remember that there will be extra copies of master.passwd
in /var/backups/ which need an equal level of protection) or if anyone
does get hold of the master.passwd file that they can't decode the
password hashes (which means using MD5 rather than DES password
hashes, and making sure that users choose passwords which aren't easy
to guess).

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031218/c792867a/attachment.bin