Intro:
* UUASC-OC
http://www.uuasc.org
* Monday, 8 May 2006, 7:00 PM
* D.E. Legan II, mailto:legan@acm.org
* (The Will Rogers Thing at this point)
Limitations:
* Not a crypto/security expert,
my knowledge on this still evolving,
simply an informed user -
so speak up
* Debian biased presentation
* not going into kerberos, SRP, etc.
advanced technologies (Biometrics, Tokens, etc.)
* information in man pages
(only if it sticks out as interesting)
* command line bias
* physical security
Definitions:
* watchword
* password
A password is a form of secret authentication
data that is used to control access to a resource.
The password is kept secret from those not allowed access,
and those wishing to gain access are tested on whether
or not they know the password and are granted or denied
access accordingly.
* pass phrase
* passcode
* key (cryptography), a piece of information that
controls the operation of a cryptography algorithm
http://en.wikipedia.org/wiki/Password
Theory:
* hash
* - Zero Key Encryption / See O'Reilly SSL book
* previously DES based
* currently MD5 considered state of the art
should allow up to 256 characters
* classic passwd file
* shadow file
* Trusted Computing Base (tcb)
* IBM AIX format
* /etc/security/password - hash etc.
* /etc/security/user - aging information
* /etc/security/passwd - traditional info(??)
Chris Hare articles in Sys Admin
* 'How UNIX Password Controls Work'
Vol. 1, No. 1, May, 1992
* 'Revisiting UNIX Password Controls -- Part 1'
Vol. 10, No. 10, October, 2001
* 'Revisiting UNIX Password Controls -- Part 2'
Vol. 10, No. 11, November, 2001
* Accountability
* When Accountability matters
* When accountability doesn't matter
- for marketing tracking etc.
http://www.bugmenot.com
Literature:
* Watchwords for military sentrys
* lame humor
* WW II Battle of the Bulge
* 'Perfect Passwords Selection, Protections, Authentication'
Mark Burnett, Syngress ISBN 1-39749-041-5
* Bad points (first):
* General MS Windows bias in presentation,
not OS/environment neutral
* Seems padded out with random number, seed word
and worst ever password tables
* No discussion of password tools/application of any kind
* Accompanying web site seemed worthless when I checked it
* Good points: the suggested patterns for a good passwords:
1. use three words - a pass phrase
2. phoney e-mail address pattern
3. phoney www address pattern
4. title, name, suffix pattern
5. rhyme a number with a word pattern
6. replace words with verbose phrases with the same meaning
7. personal secret confession
8. weird dances
9. phoney phone number
10. swap letters between words / spoonerisms
http://en.wikipedia.org/wiki/Spoonerism
* Good points: Mangling patterns
1. Weird dialects
2. scrambling word order
3. randomly insert spaces
4. repetition for the h*** of it
5. replace syllables/letters with characters
6. insert puctuations, randomly or by some pattern
7. speach defect
8. fake words in passphrase
9. foriegn words / slang
10. typos
* author suggests Googling patterns, etc.
probably best to go elsewhere to do this if
really concerned about security
* other good points
* Schneier announcement
http://www.schneier.com/blog/archives/2005/06/write_down_your.html
Tools:
* login command
* /etc/login.defs :
man login.defs
At account creation, defaults set with:
PASS_MAX_DAYS
PASS_MIN_DAYS
Encroaching on shell startup files:
FAKE_SHELL
uses: screen etc., honeypot and intrusion detection etc.
'Securing UNIX Passwords' Eric Davis
Sys Admin Vol. 7, No. 8, August 1998
* tinylogin -- for embedded systems
http://tinylogin.busybox.net/
* autologin script
From Feb./1999 Linux Journal, p.93-95
Linux Apprentice "The login Process"
by Andy Vaught
* passwd command
* change just about any data for a user besides the password
* some claims in man page seem unsupported by rest of
man page.
* '-S' to show status information
* display status information - may prefer pwexp.pl program
see Chris Hare articles above
* vipw, vigr commands
* -s to edit shadow files
* locks files to avoid access conflicts
* checks for correctly formed contents
* chage command
* Thumb Rule:
Aging parameters for account password changed with
chage command or passwd,
all other things about passwords
set through PAM configuration
Aging parameters for account
* '-l' to show particulars of specific user account
* Several versions of pwexp.pl program,
for classic /etc/passwd and shadow files
see Chris Hare articles above
* Various versions of passwd
* Passwd+ - apparently no longer supported
(was at ftp://ftp.dartmouth.edu/put/security)
http://www.admin.com/Pages/TUSA/passplus.html
http://sunsite.mff.cuni.cz/MIRRORS/ftp.funet.fi\
/pub/unix/security/passwd/passwd+/
* Npasswd
(was at http://www.uts.cc.texas.edu/~clyde/npasswd)
http://www.utexas.edu/cc/unix/software/npasswd/
This seems to have mutated into a
PAM/client-server solution
'Locking the Front Door of Password Security'
Victor Burns
Sys Admin, Vol. 10, No. 8, August 2001
http://www.samag.com/documents/s=1147/sam0108g/0108g.htm
* Epasswd
(was at http://people.nas.nasa.gov/~edavis/epasswd)
http://www.nas.nasa.gov/Groups/Security/epasswd/
(see Eric Davis article above)
* PAM / Pluggable Authentication Modules
* 'PAM -- Pluggable Authentication Modules'
Kurt Seifried
Sys Admin Vol. 9, No. 9, September 2000
* activation/use of one configuration file may
require a setting in another configuration file
to turn on using the first files contents
* /etc/security
Some interesting PAM configuration files here
* /etc/security/pam_env.conf
* Variable / Default / Override
* takes over some functions of /etc/profile and such
* /etc/security/access.conf
* /etc/security/time.conf
* /etc/security/limits.conf
* /etc/pam.conf - only if pam.d does not exist
* /etc/pam.d/
* configuration files for various services such as
ftp, ssh, vlock, lockvc, cupsys, kde, kermit, xdm,
xlock, su, sudo etc.
* pam_unix.so -
some of password checks redundant,
not needed if PAM cracklib being used
* libpam-cracklib (apt-get)
* Connects passwd to cracklib2 via PAM
* 'Strong Passwords with PAM'
Hal Pomeranz
Sys Admin Vol. 13, No. 11, November 2004
* Various password generators
* pwgen (from apt-get)
* makepasswd (from apt-get)
* easypass.pl
'Generating Passwords with Easypass.pl'
Matt Lesko
Sys Admin, Vol 11, No. 7, July, 2002
* Various websites (???)
see Wikipedia password entry above
* Password vaults
* PMS
'Forgotten Security' ('Cooking with Linux')
Marcel Gagne'
Linux Journal, January, 2005
http://www.marcelgagne.com/cwl012005.html
Apparently discontinued
* CPM
http://www.harry-b.de/dokuwiki/doku.php?id=harry:cpm
* password safe
Bruce Scheier originated
http://passwordsafe.sourceforge.net/
* keepass
http://keepass.sourceforge.net/
* patra
http://freshmeat.net/projects/patra/
* Terminal locking software
* Lockvc
* vlock
* Password cracking tools
http://en.wikipedia.org/wiki/Password_cracking
* crack - philosophy
* John the Ripper
* LC5 (formerly L0phtCrack)
* mdcrack
* One Time Passwords
OPIE - various debian packages
'OPIE - One-Time Passwords in Everything'
Margaret Fenner
Sys Admin Vol. 8, No. 13, July, 1999
http://www.inner.net/opie
* Zero Time AKA Unknown Passwords
* purpose to enforce use of sudo,
possible application for kiosks etc.
* 'Using Unkown Passwords'
Ed Schaefer and John Spurgeon
Sys Admin Vol. 14, No. 2, February, 2005
http://www.samag.com/documents/s=9494/sam0502h/0502h.htm
* su, sudo
* ~ 1/2 input is a password
* deserve presentation of their own
Future:
* Graphical passwords
http://www.acm.org/technews/articles/2006-8/0113f.html#item11
http://www.infotoday.com/it/itnew.htm
Some password related links, as they accumulated in my bookmark file.
file://localhost/mnt/cdrom/html/ refers to the
Sys Admin CD ROM, Release 9, 1992-2003
- Forgotten Security (Cooking with Linux) | Marcel Gagné
- harry:cpm [Harry's DokuWiki] / site for cpm apparent followup to pms
- Amazon.com: Perfect Passwords : Selection, Protection and Authentication: Books: Mark Burnett,Dave Kleiman
- Schneier on Security: Write Down Your Password
- Password - Wikipedia, the free encyclopedia
- PasswordResearch.com - Authentication Research Paper Index
- Fred Cohen & Associates / password report
- ****Passwrd stuff / END****
- Generating Passwords with Easypass.pl
- Locking the Front Door of Password Security
- Revisiting UNIX Password Controls -- Part 1
- Revisiting UNIX Password Controls -- Part 2
- Automating ftp with Expiring Passwords
- Password Encryption in Shell Scripts
- A Holy Grail for the New Millennium: No Plaintext Passwords
- OPIE -- One-Time Passwords in Everything
- Securing UNIX Passwords
- Aging Passwords
- Password Verification in AIX Version 4
- Remote Password Update
- Coordinating Password and Group Files
- Heterogeneous Password Assignment
- How UNIX Password Controls Work
- Automatically Restart Login Services on a Remote Host
- Login Surveillance on AIX
- Remote Login Menus
- closeit: A Login Management Tool
- Two Handy AIX Tools: The Failed Login Report and lptran
- Monitoring Login Activity
- How to Login to Any UNIX System and Get Your E-Mail
- Sys Admin > v14, i02: Using Unknown Passwords
- Sys Admin > v13, i11: Strong Passwords with PAM
- Improving SSH with Keychain
- PAM -- Pluggable Authentication Modules
- Sys Admin > Cryptography Tools for the Systems Administrator
- Sys Admin > Locking the Front Door of Password Security / on web
- Sys Admin > v10, i10: Revisiting UNIX Password Controls -- Part 1 / on web
- Sys Admin > v13, i11: Strong Passwords with PAM
- Ultra High Security Password Generator / art johnson / lul
- The login Process | Linux Journal / Feb., 1999, issue 58
- Password's Progress | Linux Journal
- Debian -- makepasswd
- Debian -- makepasswd
- Debian -- mypasswordsafe
- RFC 2945 / Secure Remote Password
- Kermit Security Reference
- SRP: Open-Source Password Security
- Key (cryptography) - Wikipedia, the free encyclopedia
- Unix Authentication Tools
- Index of /MIRRORS/ftp.funet.fi/pub/unix/security/passwd/passwd+
- Password Portal - Password Recovery, Password Cracking
- GeodSoft How-To: Cracking Passwords Techniques
- Security Tools : Cracker
- Password cracking - Wikipedia, the free encyclopedia
- TinyLogin
- TinyLogin: Booting up in Small Places | Linux Journal
- Login - Wikipedia, the free encyclopedia
- Selected Publications / D. V. Klein