Subject: Re: Chapter 8 security
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Daniel Carosone <dan@geek.com.au>
List: tech-security
Date: 04/18/2004 20:26:48
--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Apr 18, 2004 at 03:35:23AM -0400, Thor Lancelot Simon wrote:
> On Sun, Apr 18, 2004 at 01:55:27PM +0900, Curt Sampson wrote:
> >=20
> > If you're go all the way with this, even that might not be good enough.
> > What is there to stop someone from making the password hash of a poor
> > pasword on another machine and using vipw to set it?
>=20
> Precisely that crypt(3) sees the *input* to the hash, and can enforce
> arbitrary restrictions on it.
As does login (etc) at the time the passwd is used, which is Curt's
point. I'm not entirely sure I like the idea, but the point is valid.
--
Dan.
--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iD8DBQFAglfnEAVxvV4N66cRAtapAJ9yrNozr3DNnvmWkMoEqWMR6T1U6ACePLzK
VEos4S0fOjl7GYKmkgem3p8=
=W5yM
-----END PGP SIGNATURE-----
--17pEHd4RhPHOinZp--