/etc/shadow

[Doug Gwyn]

In article <2189 at cuuxb.ATT.COM> dlm at cuuxb.UUCP (Dennis L. Mumaugh) writes:
>The documentation is scattered in the Release Notes for System V
>Release 3.2.

Thanks for posting the information.  It is sites that DON'T HAVE
SVR3.2 that are most in need of this information.

>If there is no entry in
>/etc/shadow we accept the /etc/passwd as gospel [in case  someone
>forgot to run /usr/lib/pwconv after adding a user.]

That seems like a mistake.  Far better to detect this omission
when the new user first tries to log in than to gradually accumulate
security holes.

It also seems that the following are missing:

	"pwvalid" utility (necessarily privileged) to SLOWLY
	check a (user,password) pair for validity.  Since it is
	insecure to pass this information as command-line
	arguments, they should be read from standard input
	(typically via a pipe connection).  Obviously the exit
	status would be 0 if and only if the pair checks out ok.
	(The temptation to also log failures should be resisted!)
	A two-second delay should be acceptably slow.

	"int pwvalid(const char *user, const char *password)"
	C library function that simply opens a pipe to the above
	utility and returns true only when the arguments
	constitute a valid pair.

In the above, probably it would be safest to use the encrypted form
of a trial password instead of plaintext.  It bothers me that some
network protocols send unencrypted passwords over the network.

All password-checking programs should use these interfaces to validate
passwords.  ("passwd" can use them for part of its job, but it also
has to update the shadow file.  So far as I know no other program
needs to write (encrypted) passwords in such that it couldn't use
"passwd" to do this for it.)