|
Hardening Linux authentication and user identity
|
 |
 |
 |
|
Contributed by Chad Brandt
|
|
|
|
Thursday, 23 September 2004
PAM is an authentication mechanism that originated on Solaris, but is used on various systems, including Linux. The Linux PAM implementation allows a system administrator to choose how users authenticate to various services.New modules can be added by an administrator at any time, offering overall flexibility in how authentication happens.
Use Pluggable Authentication Modules (PAM) to provide flexible authentication
Traditionally, Linux and other Unix-like systems simply authenticated users against an entry in the file /etc/passwd. Everyone had read-only access to the password file, and the encrypted passwords were available to anyone with access to the system. This simple design made password files vulnerable to "dictionary attacks," an attack where the attacker would encrypt common words and compare his encrypted words with what was in the password file. If a match was found, the attacker then would know the password. As a countermeasure, Linux and other Unix-like systems changed from the standard password file to a "shadow" password file, where passwords were moved out of the traditional /etc/passwd file into a different file (typically /etc/shadow). Since the /etc/passwd file needs to be readable by any user on the system, moving sensitive password hashes out of the world-readable file limited the availability of the hashes to the root user only.
Read Full Story Only registered users can write comments.
Please login or register. Powered by AkoComment 1.0 beta 2! |
Home 
