Linux.com

Home Linux Community Forums Programming and Development Kernel Development What Linus actually did and how safe the passwords are in Linux KERNEL?

What Linus actually did and how safe the passwords are in Linux KERNEL?

Link to this post 27 Jan 12

Linux allows a number of methods for password management. The default is local one-way salted hash using a 56-bit DES encryption. There are also other methods, such as NIS and LDAP single sign-on methods, that can be swapped in so that when you create a user on Linux, you are also authenticated for other systems, as well as for Windows. The default Linux "useradd" system command will use the appropriate method that your system is configured for, so your admin can always use the same commands to create new user accounts, and be sure that it will "do the right thing". Of course, the default local account won't allow you access to other systems in your network, and that is the entire point of "single sign-on" methods, because we are all connected to networks of computers these days, and often need to access different systems to do different jobs, and don't REALLY want to remember a bunch of different user ID's and passwords, do we? :-) My company has a single sign-on configuration, so my assigned user ID and password work with ANY system that I am authorized to access, be they Windows, Linux, or other, and we have over 100,000 employees! So, in my job, I can access ANY authorized company system with just one user ID and password. Of course, we have test systems/networks that I access which are not connected to the single sign-on infrastructure, so we have to use different user IDs and passwords for those, but that is the exception, rather than the rule.

Link to this post 27 Jan 12

1- Hardware - linux kernel (core of the OS) - OS - Applications
2- Again: the kernel has nothing to do with managing passwords. It's the OS (or an app) that deals with it.

@Rubberman: *NO*, there's no DES encryption by default in any system (for password management that is). DES is really easy to break and, besides, passwords should be managed by *hash* algorthyms (not encryption).

NIS vs LDAP vs local use the same method: hashed passwords (usually salted)

The way you "consult" the information is different though ;)

Regards

Link to this post 27 Jan 12

Actually Marc, I'm not 100% positive about Linux, but the standard password encryption for Unix was 56-bit DES using a salt value as a random seed. I know, because I had to port that stuff to multiple operating systems. The last time I had to do that was in the early 90's - back in the late Jurassic era of modern computing... :-) Ok. Back in 1995 when I had to port some software that had to generate those hashes to the Dec Alpha processor systems running True64 Unix.

Link to this post 27 Jan 12

And if you are interested, I can send you the source code.

Link to this post 27 Jan 12

If we are talking about what's in /etc/passwd or /etc/shadow I doubt UNIX has ever used DES (which is encription)

You must be refering to md5 (which is a hash mechanism)

Anyway, MD5 has been declared insecure as well (that means it's easily breakable). Most systems come out of the box with salted SHA512 functions for storing passwords

As an example, from my running machine:

cat /etc/pam.d/passwd
#%PAM-1.0
password required pam_unix.so sha512 shadow nullok

Link to this post 27 Jan 12

I refer to what's in /etc/shadow. I'm at work right now, but I will look up the code this weekend and show you that it DOES use DES-56 to create the encrypted password. At the time, we even had to get DOC approval to export the code outside of the USA, which was kind of useless as everyone and their dog already had the DES-56 sources.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board