Return to BSD News archive
Newsgroups: comp.os.386bsd.development Path: sserve!newshost.anu.edu.au!munnari.oz.au!constellation!osuunx.ucc.okstate.edu!moe.ksu.ksu.edu!vixen.cso.uiuc.edu!howland.reston.ans.net!europa.eng.gtefsd.com!uunet!nwnexus!deanstoy!dean From: dean@deanstoy.wa.com Subject: Re: Passwords in 386bsd References: <2b979dINN7du@no-names.nerdc.ufl.edu> Organization: None whatsoever! Date: Thu, 4 Nov 1993 02:56:26 GMT Message-ID: <CFy5IH.3uB@deanstoy.wa.com> Lines: 36 In article <2b979dINN7du@no-names.nerdc.ufl.edu> d88-jwn@astro.ufl.edu (Johan Wahlin) writes: >Hi, > Having read an article about the Internet worm >in [Communications of the ACM, June 1989, Vol 32, No 6, Pg 677] I came >across some thoughts about passsword security on pg 680 leading me to >these questions about 386bsd; > Does 386bsd implement or is anyone thinking of implementing: > i, A check for repeated password attempts from the same process. Other than the attempt counting and exponential delay implemented in login, no. The program need only get the encrypted text once (difficult since passwords are shadowed on *BSD) then it can implement the crypt algorithm itself and there is no way for the OS to count the attempts. If the attempts are coming from accross the network, only the host can be identified. Also, inetd gets no feedback on the success of the login attempt. > ii, Making the program passwd check for bad passwords by checking > combinations with the users name/id and by using the online > dictionary. This is easy to do. Just get cracklib and add it to passwd. It does not take long to do and is very effective. Be aware that the "worked example" which is included in the source has a subtle bug - root can not set someone else's password. To fix this, you have to make a copy of the password record that 'pw' points to and all its associated strings and then update using the copy. The reason for this is getpwnam() uses a static buffer which cracklib overwrites when it looks up the caller's (in this case root's) GECOS data, etc. ------------------------------------------------------------------------------- #include <standard-disclaimer.h> Dean M. Phillips dean@deanstoy.wa.com -- Dean M. Phillips Microsoft free and proud of it! dean@deanstoy.wa.com