Quick security question
Dave Hull
dphull at gmail.com
Mon Feb 19 20:57:17 CST 2007
Good point, some systems are configured to keep password histories. On
my default RHEL install, there is no such file. In fact, I don't think
I've used any version of Linux that was configured this way. There's
probably some PAM configuration that will keep password histories, but
by default, I don't know of a Linux distro that does.
The passwd program does compare the current password that the user
gives when she runs the passwd program against the user's newly
entered password. A look through the source of the passwd program
confirms this.
It's interesting that the passwd program when run as a normal user on
RHEL (I assume other distros too), prompts for the user's "UNIX"
password.
On 2/19/07, Phil Thayer <phil.thayer at vitalsite.com> wrote:
> Typically in OS's that check that passwords are not similar to
> previously used passwords there is a password history file that contains
> old passwords in an encrypted form (not one-way) that can be compared
> against what is entered. Find the password history file, blow it away
> and create a new one with the touch command and you will have no
> password history.
>
> Phil
>
> > -----Original Message-----
> > From: kclug-bounces at kclug.org
> > [mailto:kclug-bounces at kclug.org] On Behalf Of Dave Hull
> > Sent: Saturday, February 17, 2007 9:33 PM
> > To: cragos at gmail.com
> > Cc: kclug at kclug.org
> > Subject: Re: Quick security question
> >
> > Interesting question.
> >
> > Mathematically, the hashes of "testpass" and "tespass" are very
> > different, so obviously the passwd program isn't comparing hashes.
> > What is it comparing?
> >
> > When a user runs the passwd program, they are prompted for their old
> > password and the password program stores that value, then the user is
> > prompted for a new password and the new value is compared to the old
> > value. The hashes themselves are not being compared.
> >
> > When root runs the passwd program, it doesn't prompt for the old
> > password value so there's no comparison.
> >
> > On 2/17/07, cragos at gmail.com <cragos at gmail.com> wrote:
> > > Can someone more familiar than I with the math behind one-way hashes
> > > explain how a hashed string is compared with a string in
> > plaintext? I
> > > had a typo in the text I fed to passwd, and, when I went back in to
> > > fix the typo, I got an error message that read: "BAD
> > PASSWORD: is too
> > > similar to the old one"
> > >
> > > Of course, that was easy enough to override as root, but it
> > raises an
> > > interesting question. Anyone game to explain the math behind how it
> > > was able to tell?
> > >
> > > Thanks,
> > > Sean
> > > _______________________________________________
> > > Kclug mailing list
> > > Kclug at kclug.org
> > > http://kclug.org/mailman/listinfo/kclug
> > >
> >
> >
> > --
> > Dave Hull
> > _______________________________________________
> > Kclug mailing list
> > Kclug at kclug.org
> > http://kclug.org/mailman/listinfo/kclug
> >
> _______________________________________________
> Kclug mailing list
> Kclug at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>
--
Dave Hull
More information about the Kclug
mailing list