UNIX security and passwords
Kurt Zeilenga
kurt at pprg.unm.edu
Wed Jan 4 05:12:43 AEST 1989
I've been following this discussion with some amazement. I've
been managing computers for about eight years and have seen
hundreds of security incidents first hand. Of them, I can
only remember one or two that actually tried to use a program
to guess passwords. Hell, if I was going to break into a
computer I sure would waste my time trying to crack passwords.
Here is my list of methods I would try first:
Open doors left my system admins
blank or hosed lines in password files
write premissions
/,/etc
/etc/passwd
/etc/group
/bin/su
dotfiles in / or sys admins home
existance of a .rhosts/.netrc in / or sys admin home
existance of /etc/hosts.equiv
readable devices
SUID programs (often breakable)
Known passwords (note: these are not guessed)
Trojan Horses
fake getty's, etc.
Insecure protocols, network agents
RPC
NFS
UUCP
FTP, SENDMAIL, FINGER
X or NeWS
Insecure network media
Cleartext password grabbing (even more effective
if you know how to abuse ARP and ICMP)
(I am sure I missed many ways, these were just off the top of my head).
So, I kind of agree with Barry. P(crack password) * P(crack shadowfile)
is very close to P(crack password). However, I much rather see all
this effort going into solving some of the basic issues. Anyways, I
am glad to see security becoming a real issue.
Until we educate our SYSTEM ADMINS what the hell is the point of
educating our USERS!
- Kurt
More information about the Comp.unix.wizards
mailing list