Date: Mon, 16 Nov 1998 11:06:56 -0500 (EST) From: Thomas Valentino Crimi <tcrimi+@andrew.cmu.edu> To: Terry Lambert <tlambert@primenet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <0qI4qUS00YUq09JbU0@andrew.cmu.edu> In-Reply-To: <19981116073914.F969@internal> References: <199811151758.JAA15108@apollo.backplane.com> <199811152257.PAA02868@usr05.primenet.com> <19981116073914.F969@internal>
next in thread | previous in thread | raw e-mail | index | archive | help
Excerpts from FreeBSD-Security: 16-Nov-98 Re: Would this make FreeBSD.. by Andre Albsmeier@mchp.sie > > There are several holes in the theory. The number one hole is > > that if I'm trusting you to read the engrpted passwords, I'm > > trusting you to not run "crack" (or whatever) against the > > password file. Basically, DES is insecure enough tese days that > > if I trust you with read access, I'm effectively trusting you > > with the root password (if you had access to the EFF hardware, > > you could obtain root in less than an hour). Let's not forget that without cracking the password of a 'wheel' member, su is still not going to let them in. If you have no wheel members (ie, you only allow root access from console) all the password cracking in the world isn't going to give them root. (of course, with a whole lot password cracking they'll have the password to every account on your box). Forcing them to crack 2 passwords, assuming they can properly manipulate the sgid program to spitting out the master.password file seems to be an improvement to me. Don't buffer overruns generally show up as sig-11 core dumps? Meaning that if we assume the EFF 8 hours in cracking the two passwords needed to obtain root, that's 8 hours more than the 2 seconds the admin originally had to take action. And then we have md5 passwords, arguably broken, now, but orders of magnitudes better than DES. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0qI4qUS00YUq09JbU0>