Subject: Re: Chapter 8 security
To: None <,>
From: Thor Lancelot Simon <>
List: current-users
Date: 04/18/2004 07:57:39
On Sun, Apr 18, 2004 at 08:26:48PM +1000, Daniel Carosone wrote:
> On Sun, Apr 18, 2004 at 03:35:23AM -0400, Thor Lancelot Simon wrote:
> > On Sun, Apr 18, 2004 at 01:55:27PM +0900, Curt Sampson wrote:
> > > 
> > > If you're go all the way with this, even that might not be good enough.
> > > What is there to stop someone from making the password hash of a poor
> > > pasword on another machine and using vipw to set it?
> > 
> > Precisely that crypt(3) sees the *input* to the hash, and can enforce
> > arbitrary restrictions on it.
> As does login (etc) at the time the passwd is used, which is Curt's
> point.  I'm not entirely sure I like the idea, but the point is valid.

That's utterly silly.  login (etc) call crypt(3) to compute the hashed
password; why on earth would one undertake to change all *callers* of
crypt() when one could just change crypt() itself?

 Thor Lancelot Simon	                            
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud