Weekly Edition
Return to the Security page
| |||||||||||||
Shadow hardeningThe shadow password mechanism was introduced to provide increased security over the early Unix practice of stored salted-and-hashed passwords in /etc/passwd — but that fact by no means makes it perfect. The Openwall security-hardened Linux distribution (better known as Owl) offers its own alternative called tcb, built around per-user directories and Blowfish encryption. Recently developer Paweł Hajdan unveiled a similar project of his own, which utilizes several of tcb's improvements, but supplies them in what Hajdan hopes is an easier-to-manage design. Originally, /etc/passwd contained a hashed version of each account's password. The file itself was readable by any user, which enabled features like looking up usernames by their UIDs, and other tricks unrelated to the passwords themselves. The trouble was that attackers could calculate hashes offline then compare their results against /etc/passwd looking for matches. Shadow shuts down that attack vector by separating the hashed password information into a separate file that is readable only by trusted processes. In a sense, both tcb and hardened-shadow take that same approach: separating unrelated information further to reduce the potency of attacks. Taking care of passwordsOpenwall's tcb mechanism stores salted-and-hashed passwords in a directory of its own, /etc/tcb/, beneath which there is a separate directory for each user. Each user's directory is owned by that user account, and contains their own private shadow file (e.g., /etc/tcb/linus/shadow) also owned by the user. Both the per-user directory and its contents are in the auth group with the SGID bit set for the directory, which provides for additional password policy enforcement. Namely, the system can grant a process read-only access to password hashes and the password-changing tools use each user's private directory as scratch space for the temporary and lock files required during the process. Openwall maintains that this set-up eliminates the need for SUID-root binaries altogether. Apart from the system password-changing utilities, most application programs access shadow password hashes through either Pluggable Authentication Modules (PAM) or the Name Service Switch (NSS) facility. Tcb provides a custom PAM module named pam_tcb and a corresponding NSS module named libnss_tcb that supersede their /etc/shadow-based alternatives, such as the pam_unix module. As a result, migrating from a shadow system to tcb should be completely transparent to other applications. Openwall provides its own patched suite of shadow utilities (including login, useradd, chpasswd, newgrp, and so on) patched to support /etc/shadow in addition to /etc/tcb/*/shadow (configurable via a switch in /etc/login.defs), as well as utilities to convert from shadow to tcb and vice-versa. But Owl's tcb scheme also involves a change to Glibc, so that the crypt(3) function uses the Blowfish cipher. The existing Glibc crypt() offers MD5, SHA-256, and SHA-512 encryption methods. The tcb version patches in Blowfish support that is "mostly compatible" with OpenBSD's bcrypt. The principle advantage is that Blowfish can be configured to use as many set-up rounds as desired when generating the hash; thus administrators can increase the number of rounds over time to make attacks more and more computationally expensive as processor power increases. Hardened-shadowHajdan calls his package hardened-shadow, which he says is inspired directly by tcb. In a March 14 post to the owl-dev list, Hajdan asks for feedback from people interested in the project as well as help performing a security audit of the code. Hardened-shadow is a reimplementation of the shadow utilities based on the original upstream sources, but supporting a somewhat tcb-like layout. The system uses /etc/hardened-shadow/, with a separate directory for each user account. But while tcb only stores a single shadow file for each account, hardened-shadow adds two more: a shell file and an aging file. The shell file allows chsh to modify the user account's default shell without having access to the shadow file, and aging holds the password expiration fields, which would eliminate the need for locking if administrators expired passwords before changing them, according to Hajdan. In addition, hardened-shadow does not require a patched version of Glibc crypt(), and it supports more PAM options than does pam_tcb. Fans of the Blowfish algorithm might balk at the omission of their favorite cipher, but Hajdan has added a PAM parameter to pam_hardened_shadow that allows one to pass the hash algorithm as an argument. In the standard crypt() scheme, the hash algorithm used is designated by a token surrounded by $ characters — MD5 uses $1$, SHA-256 uses $5$, and so on. Hajdan believes making the PAM module indifferent to the hash algorithm makes the code more useful, so that Owl users can take advantage of Blowfish, while others can use their own cipher — and future-proofs it against new exploits that target particular ciphers. On the down side, Hajdan admits that his code is currently incompatible with SELinux and with NIS. More importantly, of course, it is brand-new and virtually untested, so he advises against deploying it on any production systems. Openwall's Alexander Peslyak (aka Solar Designer) offered several reasonable suggestions as feedback to Hajdan's list message. Among them were switching to a common open source license in place of Hajdan's current, custom license text, and building hardened-shadow around pam_tcb rather than implementing yet another PAM module with virtually the same goals. Hajdan's reply was that he felt pam_tcb's reliance on a patched Glibc made for too many packages, and that pam_tcb duplicated too many functions already found elsewhere in the tcb library. Nevertheless, Peslyak said that Openwall would consider migrating to hardened-shadow's version of the shadow utilities (although not the PAM and NSS modules). The reason he gave was that Openwall currently maintains its patch set against a suite of tools that come from a blend of two different sources: the canonical shadow utilities, and a PAM-based implementation called SimplePAMApps. SimplePAMApps, however, is no longer being actively maintained. Owl and a few other distributions curate their own packages of it, but in the long run, synchronizing with an actively developed tool set is probably less work. The shadowy futureBack in 2010, Hajdan submitted patches to the shadow utilities to enable optional support for tcb, a change that appears to have landed in the 4.1.5 release from February 2012. Nevertheless, tcb is still an essentially Owl-only tool. There does not seem to be much interest in packaging it among the large, "mainstream" distributions; in 2006 the idea was floated on the fedora-devel list where it was met with skepticism. Some of the criticism from 2006 is questionable (for example, the concern that users could fill up the /etc filesystem by dumping files into their /tcb/ directories — the group permissions should prevent that), but others, such as requiring new methods for auditing password changes, may be more valid. Hardened-shadow does not alleviate all of those concerns, but by virtue of not requiring a patched Glibc, it at least stands a better chance of being packaged by other distributions. Any hope for widespread deployment, however, will probably still need to address the SELinux incompatibility in the PAM module — and it will certainly need to wait for a proper security audit and more sets of eyes scrutinizing the code. Shadowed passwords were introduced to split up user account information in a manner that made security exploits harder. As both of these projects show, further division holds the possibility of protection against other attacks. Neither tcb nor hardened-shadow is a perfect solution, of course, but the existing shadow system is far from flawless, too, which is part of what makes a fresh re-examination of it such an interesting exercise. (Log in to post comments)
Bizarre Posted Mar 22, 2012 5:20 UTC (Thu) by ringerc (subscriber, #3071) [Link]
I struggle to understand the appeal of this when LDAP auth solves so many problems already. About the only big issue is that it's painfully hard to get a Linux distro to use *only* LDAP because there's too much that still assumes /etc/passwd rather than going through NSS.
In particular, distro package config scripts are frequently guilty of trying to create or update users in /etc/passwd and /etc/group, with no mechanism offered to switch them to using LDAP. This tends to leave systems with a split auth setup, where some users and groups are local and some are in the directory. When you want to add a directory user to a local group, this becomes a nightmare.
Please: scrap the file-based auth, and move to LDAP.
!Bizarre Posted Mar 22, 2012 6:34 UTC (Thu) by eru (subscriber, #2753) [Link] Please: scrap the file-based auth, and move to LDAP.But if the network is down or LDAP otherwise hosed, how do you get access for fixing things? Files are also useful for situations where the system is never meant to be part of a wider authentication domain (eg. most home users and embedded systems). But I agree that in most professional deployments you want to use network-based authentication, except for root and other special cases, so improving shadow password security in the ways described in the article does not seem terribly important.
!Bizarre Posted Mar 22, 2012 6:48 UTC (Thu) by ringerc (subscriber, #3071) [Link]
Loopback is never down. Well, not past *incredibly* early boot, anyway, such that a NSS module that provided a hardcoded uid 0 and a uid for the LDAP daemon (to run it as non-root) would be all that'd be required until LDAP came up.
I'm talking about LDAP on the local host, as the primary and only storage for user credentials. Unlike passwd/shadow/group, it's extensible, supports fine-grained access control, mirroring and sync, etc.
I run an LDAP daemon on each server. When a change is made, the change is pushed to the master and then out to all the slaves via client-cert-protected tls-secured channels. If the master goes down, nobody cares.
!Bizarre Posted Mar 22, 2012 11:29 UTC (Thu) by cortana (subscriber, #24596) [Link]
Do you have a particularly slimmed-down build of OpenLDAP for this purpose? How much memory does it take up in regular use? Does anything break if it needs to do a lookup while the daemon is being restarted (I imagine you build it yourself, but imagine if you were using a distro-provided package that pushed out a security update). How do you handle the split between 'system' users created by distro packages with low UIDs and human users created with high UIDs? Do you use nss_ldap, nss_ldapd + nslcd (with or without nscd or unscd), nss_ldapd + slapd's nss overlay, or nss_cache?
I've been thinking along these lines for a while, but I haven't actually bothered to look at setting such a system up yet. The tuning & maintenance requirements of OpenLDAP's use of libdb put me off. Current versions have a new backend however, mdb, that appears have no such demands on the admin. The main problem I'd forsee is that slapd is not available during boot, and particularly so in early boot when everything's being run out of the initramfs.
!Bizarre Posted Mar 22, 2012 11:49 UTC (Thu) by ringerc (subscriber, #3071) [Link]
I use regular OpenLDAP from the Debian archives. It's probably possible to optimise it for memory use and cut out optional features, but with RSS at 7MB I don't care to. Remember, much of that RSS is overhead - `grep` has 1MB RSS on my system!
That kind of memory use might be a concern on particularly tiny embedded boxes, but few of those will want a full NSS anyway, they're likely to be using busybox and uclibc with their very cut down identity stuff.
slapd restarts haven't been a problem the couple of times I've done them to add new schema. Requests though PAM or NSS are delayed until slapd comes up again, then continue as normal. The delay hasn't been noticeable since slapd restarts in a fraction of a second.
Because LDAP is an afterthought in Linux distros at the moment, the situation with ldap auth in current distros is absolutely rotten. The separation between system and LDAP users that you alluded to is the problem, and the lack of testing of package scripts etc with LDAP adds to the pain. It's particularly bad when you need users the system thinks are "system" users to appear in the directory because they must be consistent across several systems for, say, NFS4 shared storage. Most package scripts will scream when they can't find the user in /etc/passwd even though it exists.
At this point I don't recommend running LDAP auth for Linux environments because it's badly tested and badly integrated into most distros as a half-assed afterthought. To work well, it must *replace* /etc/passwd and friends, not layer on top of them, and all system tools for user creation/removal/etc must manipulate LDAP transparently instead of passwd.
With the current situation I've even had to remove a user from LDAP and allow a package to create the user in the system auth files with a different auto-generated uid, then remove that generated user, add the original user back to ldap, and chown everything to the new uid. I'm not impressed.
As for my setup: I use plain old nscd on top of slapd.
FWIW, I don't particularly adore LDAP, but it's there and it works. Apple demonstrated the folly of rolling their own directory system with the short-lived NetInfo; IMO, LDAP should be adopted because we need *something* better than passwd, LDAP is there, and LDAP is mature and interoperable.
!Bizarre Posted Mar 22, 2012 17:03 UTC (Thu) by drag (subscriber, #31333) [Link]
> At this point I don't recommend running LDAP auth for Linux environments because it's badly tested and badly integrated into most distros as a half-assed afterthought.
LDAP auth always seemed weak to me. If you are doing network authentication, why not doing it right with Kerberos? It seems like any decent software has support for SASL and/or GSSAPI. This seems like a much better and more robust approach and has been the one I always have taken.
Also most of your issues with PAM and NSS can be taken care of with SSSD. Vastly better then nscd and can support 'road warrior' type configurations, which is fantastic.
Howeve, Seeing how this article is about improving the security of your shadow user database putting it all in a network daemon, even if it's localhost-only, seems like a step backwards.
!Bizarre Posted Mar 23, 2012 13:27 UTC (Fri) by Creideiki (subscriber, #38747) [Link]
Is there a way to do passwordless entry into a Kerberos system? I like using public-key SSH to save me from having to remember passwords for all the systems I have accounts on, but from what I understand Kerberos requires you to enter your password at some point (either at login or later using kinit) to get a TGT.
!Bizarre Posted Mar 23, 2012 13:32 UTC (Fri) by cortana (subscriber, #24596) [Link]
!Bizarre Posted Mar 23, 2012 16:34 UTC (Fri) by drag (subscriber, #31333) [Link]
With Kerberos it is single sign on. Which means, of course, once you get your ticket then you don't have to re-enter your password for the lifetime of that ticket. (usually about 8 hours)
On your main administrative system I found that it's most useful to not actually have it hooked into your domain. That way when something goes wrong with your domain you can do something to fix it. In that case you run 'kinit username' to request a ticket. Once you get your ticket then you should be good for at least 8 hours without having to re-enter it.
The biggest downside is that Kerberos requires a fairly significant amount of functionality to be present and working on your network before you can use it. Most networks that have grown up fairly willy-nilly tend to have a lot of brokenness in them and that won't fly with kerberos.
Your reverse DNS lookups need to be working perfectly for all the machines in the domain, for example.
The easiest way to implement a domain nowadays is to use FreeIPA. Install a CentOS or Fedora system on your network and follow Redhat's documentation.
For non-Redhat/Fedora type systems all you really need to do is install 'sssd'. There was a couple recent bugs that popped into Debian unstable that I had issues with, but Debian stable works very well.
The biggest problem with FreeIPA and SSSD is if you already have a existing OpenLDAP deployment it's not going to work well with that. You need to use the specific configuration provided with FreeIPA packages with the 389 LDAP server to be compatible.
Once you get that sorted out though then it makes all sorts of previously difficult things to do pretty easy.
!Bizarre Posted Mar 26, 2012 18:48 UTC (Mon) by sorpigal (subscriber, #36106) [Link]
Your analysis sadly mirrors mine. I'd like to use slapd, because it doesn't make any choices for me, but it's so dedicated to not making choices for me that I can't understand how to do anything useful with it without an enormous investment of time to learn and configure it. 389ds is better, and obviously made by people who expect real sysadmins to be able to use it, but it makes so many assumptions about how you want to do things that it leaves a bad taste in my mouth. The real down side to 389ds is that using it on non-Fedora non-RHEL (read: Debian) is so difficult you may as well hand craft a slapd setup.
I came from an eDir/NDS background so I think I know what I want, but creating it is an enormous pain. Where's the distribution the presumes you want to put $everything into LDAP, users and all, right from the start, use kerberos everywhere, etc? I get a very 1996-friendly-linux-desktop kind of vibe where I think "Of course it's possible to configure Linux to do this" but in practice you may as well give up. It would be a shame if the eventual solution to this problem is to adopt samba4 and just have everyone follow Microsoft's lead.
SSSD is refreshing, but it only makes the client side easier. FreeIPA is really nice for being sort of the KDE of my desktop linux analogy, but it's a lot more than I need and is sadly tied to 389ds only and thus to Fedora systems. There seem to be only two types of person trying to get things working in this area: the people who are wizards and use slapd and the people who aren't necessarily wizards and use Fedora specific solutions.
!Bizarre Posted Mar 26, 2012 19:08 UTC (Mon) by cortana (subscriber, #24596) [Link]
I think recent versions of slapd are getting better in this area. They have a new database backend, mdb, which has no configuration knobs at all, and yet outperforms hdb/bdb. So operationally, administering slapd is a lot easier than it used to be (particularly since the hdb/bdb docs say "read the Berkeley DB documentation", which Oracle have now helpfully broken all the links to...)
Of course, you still have to decide on your schema, and come up with tools for creating and maintaining objects, set up replication and so on.
Bizarre Posted Mar 23, 2012 9:15 UTC (Fri) by phajdan.jr (subscriber, #83686) [Link]
I think the main problem with LDAP is the complexity. I agree that in environments with many machines centralizing account management is very important. However, in smaller setups it may just not be worth it.
By the way, hardened-shadow is not just about splitting /etc/shadow into a directory tree and switching from SUID binaries to SGID ones. Utilities like login, su, passwd, useradd, groupadd are also re-implemented, and are smaller than their shadow-utils counterparts.
The above makes it possible to make those tools work more seamlessly with LDAP (if that makes sense), maybe addressing your point. Feedback and patches are welcome - feel free to post to MLs listed at http://code.google.com/p/hardened-shadow/ .
Shadow hardening Posted Mar 22, 2012 9:10 UTC (Thu) by arekm (subscriber, #4846) [Link]
Wasn't pwdutils successor after shadow? Now back to shadow derived thing...
Shadow hardening Posted Mar 23, 2012 9:20 UTC (Fri) by phajdan.jr (subscriber, #83686) [Link]
Latest release of pwdutils I could find was from 2005/2006. I think the shadow-utils was maintained by different people over time, but is still actively developed. Latest version, 4.1.5, has been released in February 2012.
Encryption vs hashing Posted Mar 22, 2012 14:09 UTC (Thu) by rvfh (subscriber, #31018) [Link]
> MD5, SHA-256, and SHA-512 encryption methods
I thought these were hashing methods. Is it correct to call them encryption methods? I know they somehow 'encrypt' the password, but I would not call them so, considering the encryption needs to be bijective, as the password can normally not be recovered from its hash.
Am I being pedantic?
Encryption vs hashing Posted Mar 22, 2012 14:35 UTC (Thu) by jeff_marshall (subscriber, #49255) [Link] You're correct. They're really hashes. Actually, they are frequently the result of something that is really more like the output of a mode (to borrow terminology from the block cipher world) which uses hashes similar to the way some key derivation functions work. For example, see: http://en.wikipedia.org/wiki/Crypt_(Unix)#MD5-based_scheme
Encryption vs hashing Posted Mar 22, 2012 17:27 UTC (Thu) by drag (subscriber, #31333) [Link]
> I thought these were hashing methods. Is it correct to call them encryption methods?
It's encryption.
That being said I don't really understand the point of using blowfish in this context. It's a general purpose cypher were you are suppose to be able to decrypt the information being encrypted. So this means that if you are able to obtain the key used to encrypt the password data stored in the shadow file then you can recover the password.
This is technically impossible to do with sha256 even if you wanted to. All the data used to encrypt the password can be present on the host system (except the password itself) and it is still impossible for a person with physical access to recover it. The only chance they have is to brute force it or have the user type it into a compromised system.
It's generally a bad idea to have a system were it is actually possible for a administrator to recover a password, if that is the idea. This opens up all sorts of liability and auditing problems. Just a bad idea.
So this seems bad. Unless the shadow files in each directory serve a slightly different purpose then before. I am probably missing something important here.
Basically if the authors feel that sha256 can't be trusted for hashing, then they need to find a different approach. Or they are using Blowfish in a different manner then I understood it to be used.
Encryption vs hashing Posted Mar 22, 2012 17:50 UTC (Thu) by drag (subscriber, #31333) [Link]
I see what I was missing. With OpenBSD the stored hash is created by using the user's password to loop through blowfish a few cycles then encrypt "OrpheanBeholderScryDoubt".
Thats clever.
Encryption vs hashing Posted Mar 22, 2012 20:08 UTC (Thu) by anselm (subscriber, #2796) [Link] Or they are using Blowfish in a different manner then I understood it to be used. The original Unix CRYPT mechanism used DES (with a few minor tweaks), which like Blowfish is a symmetric cypher. The way this worked was that the user-provided password was used as the key to encrypt a constant (usually a vector of null bytes). The result was then encrypted again etc., for a total of 25 rounds (which on a PDP-11 took a reasonable amount of time). This is incidentally why Unix passwords used to be limited to 8 (7-bit) characters, which are just enough to make up a 56-bit DES key. Blowfish-based password »encryption« operates along the same lines – it uses the password as the key, not the plaintext to be encrypted – but makes use of the password in a more complicated manner.
Shadow hardening Posted Mar 22, 2012 16:45 UTC (Thu) by dpquigl (subscriber, #52852) [Link]
To clarify something. I don't see anything in the description here that makes hardened-shadow incompatible with SELinux. What I think the author is trying to say here is that he hasn't done the policy leg work to get it working with SELinux. He is welcome to come to the SELinux mailing list or the refpolicy mailing list and talk about creating a policy for hardened-shadow with us. Also without some policy changes I can see tcp potentially running into the same problem.
Shadow hardening Posted Mar 22, 2012 17:08 UTC (Thu) by jake (editor, #205) [Link]
> I don't see anything in the description here that makes hardened-shadow
> incompatible with SELinux.
Maybe I misunderstood, but I thought the problem wasn't so much policy as it was getting the tcb/hardened-shadows changes working with pam_selinux (or the SELinux changes working with the PAM modules for the others).
jake
Shadow hardening Posted Mar 22, 2012 22:08 UTC (Thu) by dpquigl (subscriber, #52852) [Link]
Are they completely getting rid of /etc/passwd? I don't believe pam_selinux actually looks at the shadow file at all. I believe it takes the user name and figures out the SELinux user from that and chooses the login context properly. I don't see how breaking out shadow would change that. I'll take a look into it. I haven't looked at how either of the projects work yet but my first concern would be that the shadow files just aren't label properly. Any links to the actual projects so I can check them out when I get home?
Shadow hardening Posted Mar 22, 2012 22:12 UTC (Thu) by dpquigl (subscriber, #52852) [Link]
Bleh wish I had that edit key. I meant to ask if there are examples of getting this going on Fedora or something like that. That would probably be the best place to test SELinux integration.
Shadow hardening Posted Mar 23, 2012 9:26 UTC (Fri) by phajdan.jr (subscriber, #83686) [Link]
Thank you for commenting about that. It's not really an incompatibility (and that has nothing to do with pam_selinux), but yeah there are at least two problems here:
1. The policies would need an update. It's not obvious to me how to do that though, since program names are the same as with shadow-utils, e.g. passwd and so on.
2. The code of hardened-shadow needs to be SELinux aware, e.g. to properly set SELinux context for files when replacing them (as far as I understand it).
I'm not sure if I'll find time to do the above myself, but patches to do #2 are welcome, and I can answer any questions to make creation/update of the policy easier.
People interested in the above are welcome to post on the project mailing lists listed on http://code.google.com/p/hardened-shadow/
Shadow hardening Posted Mar 23, 2012 13:09 UTC (Fri) by dpquigl (subscriber, #52852) [Link]
I'd recommend joining the SELinux mailing list at http://www.nsa.gov/research/selinux/list.shtml. I'm sure you will find people to help with both 1 and 2. I'm not sure of shadow utils is currently SELinux aware or not. It might be because there was no way of writing different type transition rules for two files in the same directory created by the same process. Eric Paris I believe fixed this by making type transitions optionally take a name as their last component. In newer versions of SELinux we should be able to use that to do all this work in policy. I also think that even that might not be needed. If I understand things properly this stores the new shadow information under its own directory right? We can label that parent directory properly and any directories under it and files created under those should have the right contexts.
Shadow hardening Posted Mar 22, 2012 17:11 UTC (Thu) by ballombe (subscriber, #9523) [Link]
blowfish password is available in the PAM module libpam-unix2 available at least in Debian and SuSE since years, so why glibc need to be patched ?
Shadow hardening Posted Mar 22, 2012 19:50 UTC (Thu) by jengelh (subscriber, #33263) [Link]
Because it's not in upstream glibc.
Shadow hardening Posted Mar 22, 2012 18:47 UTC (Thu) by RobSeace (subscriber, #4435) [Link]
> The principle advantage is that Blowfish can be configured to use as many
> set-up rounds as desired when generating the hash; thus administrators can > increase the number of rounds over time to make attacks more and more > computationally expensive as processor power increases.
How is that an advantage over SHA-*? They can also do the same thing:
Shadow hardening Posted Mar 29, 2012 8:00 UTC (Thu) by chojrak11 (guest, #52056) [Link]
Exactly. Here is the shadow entry with SHA-512 and custom number of rounds:
username:$6$rounds=100000$<salt>$<hash>:15418:0:99999:7:::
here the PAM configuration:
and login.conf:
After the admin increase number of rounds, next password change will adapt the setting.
Passwords in home? Posted Mar 26, 2012 10:31 UTC (Mon) by migpc (guest, #24484) [Link]
The proposal of having user's local password in a separate folder per user is very interesting. However, the locations suggested /etc/tcb or /etc/hardened-shadow are machine related, not user related; and passwords are user related. Wouldn't make sense to have passwords stored in a secured folder under user's home directory (like /home/linus/.shadow/)?. This would ease a lot machine migrations, backups and even local validation using shared directories.
Do you find any caveat to this alternative?
Passwords in home? Posted Mar 26, 2012 13:46 UTC (Mon) by anselm (subscriber, #2796) [Link] Your setup might require authentication to actually get at the user's home directory in the first place, in which case you would have a chicken-and-egg problem if you needed to access the user's home directory in order to do the authentication. Also, if you wanted to enforce restrictions on passwords (e.g., minimum length, aging, …) that would be difficult if a user's password was stored in a place that was under the user's control so they could mess with it in whatever way they desired. You could try to work around this by signing and/or encrypting the password file but that would not only make things a lot more complicated but would probably introduce another machine dependency (the keys to do the signing/encryption), at which point you'd be back where you started.
Passwords in home? Posted Mar 27, 2012 16:41 UTC (Tue) by phajdan.jr (subscriber, #83686) [Link]
Right, those are real issues with the indeed interesting suggestion.
1. The user directory may not yet be mounted. Suppose it's mounted from an encrypted volume, and the password for that volume is the user's password. It's a pretty legitimate use-case and I'm pretty sure many people already do something similar using PAM.
2. The ways user can mess with the directory under his home are somewhat limited. If the protected directory has at least one file, the user won't be able to delete the directory. However, he can rename it, and create a new one with the same name. Now we can check the permissions of the dir (user can't chown to root), and it even shouldn't be racy thanks to openat calls. The problem is that the account's aging info would be inside that protected directory, so by moving it out of the way the user could cause some trouble with loss of that management data.
Anyway, it may be worth to try more and find some solutions for those problems, maybe by using some slightly different approach. Such discussion is certainly welcome, either here or on the project's mailing lists - see http://code.google.com/p/hardened-shadow/
Passwords in home? Posted Mar 27, 2012 17:21 UTC (Tue) by jspaleta (subscriber, #50639) [Link]
As to 1)
There is already a similar real-world situation with ssh keys.
On linux distributions which encourage the use of ecryptfs for home directories.. the default ssh configuration which looks for ssh keys stored in $HOME/.ssh/ no longer works if the user is not already logged in via another means. Password login via ssh still works (if its enabled) because the pam stack for ssh is looking at the systemwide passwd/shadow information. If the user password was in the home directories, then ecryptfs-like encyption of home directories would have to be re-engineered.
-jef
|
|||||||||||||