Newsgroups: comp.os.minix
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!solace!nntp.uio.no!news.nacamar.de!fu-berlin.de!news.mathworks.com!howland.erols.net!surfnet.nl!newshost.vu.nl!cs.vu.nl!kjb
From: kjb@cs.vu.nl (Kees J Bot)
Subject: Re: Minix bug?
Nntp-Posting-Host: hornet.cs.vu.nl
References: <E015vG.M0x@cs.vu.nl> <557phg$91t@newsbf02.news.aol.com>
Sender: news@cs.vu.nl
Organization: Fac. Wiskunde & Informatica, VU, Amsterdam
Date: Thu, 31 Oct 1996 09:08:01 GMT
Message-ID: <E04upE.95q@cs.vu.nl>
Lines: 35

wdwuss@aol.com (WD Wuss) writes:

>You make a very good point, however, consider a user program which
>encrypts words from the dictionary using the crypt(3) call and passes them
>off to pwdauth for checking against shadow password of the user who's
>password you wish to attempt to guess. This would be a rather simple
>program to write and would effectively defeat the purpose of the shadow
>password file altogether. The only thing users would not be able to do
>would be take the password off the system and crack it elsewhere.

This point is important.  A cracker is forced to crack the password on
the Minix system itself, using the Minix interface to check passwords,
an interface so slow that checking a simple dictionary takes forever.

>Plus, they can do this using the login program anyway.

Yes, setting up an rlogin session to check one password is comparable in
speed to calling crypt() on the machine itself.  Note the last four
words, you have to be on the machine *already* to check passwords
with the pwdauth program.  What system administrators are afraid of is
their password file being abducted and cracked on a remote machine.

>So all in all, this "security issue"
>is moderate at best, and it does remove a certain level of convience to
>clear the setuid bit on /usr/lib/pwdauth, but still, no one has ever been
>burned by staying too far away from the fire.

Well, I could change pwdauth to only allow a caller to check their own
password unless the caller is root, but I'm not paranoid enough to judge
that necessary.  (Being part of cs.vu.nl's system administration has
made me pretty paranoid already.)
--
long:  http://www.cs.vu.nl/~ast/minix.html         Kees J. Bot  (kjb@cs.vu.nl)
short: http://www.cs.vu.nl/ftp/minix/README.html        Systems Programmer
ftp:   ftp://ftp.cs.vu.nl/pub/minix/		   Vrije Universiteit Amsterdam
