dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (11/10/88)
In article <16722@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes:
Now that we've killed all copies of the Internet virus and
fixed sendmail and fingerd, it's time to thinking about
stopping future viruses.
Here is some of what needs to be done
1. Protect the password file.
On most Unix systems that I've seen, /etc/passwd is publicly
readable. There is no reason for this. It's amusing to
have encrypted passwords that anyone can look at, but it's
also a security hole. Undoubtedly, the virus guessed
passwords by reading the password file directly and
encrypting on its own. Make the virus work to guess
passwords.
This problem was announced in 1976 and fixed in most secure
systems [I did it for NSA]. ATT has shadow (hidden) passwords
in System V Relase 3.2. Other vendors: go thou and do likewise.
The ONLY problem, applications programs can't use password
validation for authentication then. Of course a Yellow Pages RPC
call could be used:
isvalidpasswd(use, passwd);
2. Strengthen crypt(3).
The password encryption routine, crypt(3), uses DES, a sound
encryption algorithm. However, one of the design goals of
crypt(3) was to retard password guessing, and in this
direction it has misfeatures. The routine is deliberately
unoptimized to be slow. Still, one DES pass was too fast
for comfort, so the routine encrypts a blank field with the
password as key 25 times.
This is the wrong approach. The virus either did or could
have had a private, optimized encryption routine.
Furthermore, the virus had substantial computer power
available, typically a whole ring of suns, to attack a given
password file. I am told that someone has written a fast
crypt(3) that encrypts 40 passwords per second, which is
fast enough to encrypt /usr/dict/words in 1 minute on a ring
of 10 suns.
The obvious solution is to optimize crypt(3) as much as
possible, and then decide how many encryption passes there
should be. Since 40 x 25 = 1000, I recommend several
thousand passes. For good measure it could encrypt a block
larger than a 8-byte blank field. For example, you could
chain encrypt a longer string of bytes and put a checksum of
the string in /etc/password.
Still a bad approach. A work factor assumes that one has do do
this on line. When Ken Thompson did his password attack he
sucked the password file back to his home system and did it
there. [Nowdays one could use a CRAY]. When I did my password
attacks I encrypted the dictionary FIRST. Then it was one
encrypt and a fgrep. From start to finish (copy of /etc/passwd
until printing of list of lognames and password was 45 minutes!).
3. Protect home directories.
Like the password file, home user directories are publicly
readable by default on a lot of Unix machines. This virus
learned hostnames from checking .rhosts files. A stronger
virus could also analyze mbox files and make keyword
searches. User files could let it know which user passwords
are valuable and which are a waste of time.
The read status of user directories is the most obvious and
inviting Unix security bug there is. In addition to its
utility to viruses, it allows even unskilled users to snoop,
and it demonstrates to them that Unix security is poor.
It's time to change the default setting for the access
status of home directories.
Umask was invented for this purpose! In a paranoid installation
umask is set to 077. Super paranoid it is 0777!
4. Eliminate unnecessary .rhosts files
This virus only used .rhosts files to learn host names and
user names. It could have made the likely inference that if
Amy is in Tom's .rhosts file, Tom is in Amy's .rhosts file
too. But it didn't do that.
.rhosts files are very convenient, but they make us place a
lot of trust in other computers on the network. Old .rhosts
files are dry tinder waiting to catch fire. We should have
default expirations of .rhosts entries between different
sites.
See comments previously on the net about the breakin at Stanford
two years ago. See also below.
I might add:
5. Programs to search the file system for "suspicious" events.
I have a package audit to very permissions, ownershps, lenght and
check sum of a set of files. [Sorry, ATT Proprietary.] I have
designs of others to check for corruped files [more severe check
sums -- can't be forged] and look for security holes.
There are companies that sell similar security suites. There are
books that explain and give shell scripts.
Security is requires active and continuing work by a system
administrator. All the security mechanisms and protections in
the world won't help if the system administrator is unwilling to
use them. Nor, if the system administrator makes a mistake. Or,
if some one delibately unprocts things.
--
=Dennis L. Mumaugh
Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm@arpa.att.com
greg@skippy.berkeley.edu (Greg) (11/10/88)
In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: >In article <16722@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes: > The obvious solution is to optimize crypt(3) as much as > possible, and then decide how many encryption passes there > should be. Since 40 x 25 = 1000, I recommend several > thousand passes. ... >Still a bad approach. A work factor assumes that one has do do >this on line. When Ken Thompson did his password attack he >sucked the password file back to his home system and did it >there. [Nowdays one could use a CRAY]. When I did my password >attacks I encrypted the dictionary FIRST. Firstly, there is no way that a virus would beam all passwords to one central computer to be processed there. Secondly, your approach will no longer work with the advent of the salt, the 12 random bits stored in the clear with the encrypted password. You would have to encrypt the dictionary 4096 times, or be content with cracking a much smaller portion of the password file. It would be good to expand the salt to 36 bits, just to make sure that you can't preencrypt even a small dictionary. Lastly, I'm not arguing that my suggestions will prevent password guessing completely, just that it will make it harder. I limited my suggestions to easy fixes for Unix. -- Greg
greg@skippy.berkeley.edu (Greg) (11/10/88)
In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: >Security is requires active and continuing work by a system >administrator. All the security mechanisms and protections in >the world won't help if the system administrator is unwilling to >use them. Nor, if the system administrator makes a mistake. Or, >if some one delibately unprocts things. I agree with this. However, if continual vigilance is your only answer, then you are asking the wrong question, at least as far as Unix systems are concerned. The question is not "How do we make Unix secure?", but "How do we get the most security with the least effort?" Many system managers just don't have the time or desire to turn their computers into fortresses. -- Greg
jfh@rpp386.Dallas.TX.US (John F. Haugh II) (11/10/88)
In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: |In article <16722@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes: | Now that we've killed all copies of the Internet virus and | fixed sendmail and fingerd, it's time to thinking about | stopping future viruses. | | Here is some of what needs to be done | |1. Protect the password file. | | On most Unix systems that I've seen, /etc/passwd is publicly | readable. There is no reason for this. It's amusing to | have encrypted passwords that anyone can look at, but it's | also a security hole. | |This problem was announced in 1976 and fixed in most secure |systems [I did it for NSA]. ATT has shadow (hidden) passwords |in System V Relase 3.2. Other vendors: go thou and do likewise. |The ONLY problem, applications programs can't use password |validation for authentication then. Of course a Yellow Pages RPC |call could be used: I began working on a login replacement Friday. It is virtually complete and only needs minor tweaking. It has most of the features of the better logins - subsystem logins, console-only root logins, environmental variables set from login: response, etc. I will be posting the code to alt.sources and pubnet.sources some time tonight to solicit comments and suggestions. Unfortunately, I also need a su(1) and passwd(1) replacement. I think I need some other stuff as well, but I don't remember ... The resulting code will be public domain and freely reproducible without any restrictions. -- John F. Haugh II +----Make believe quote of the week---- VoiceNet: (214) 250-3311 Data: -6272 | Nancy Reagan on Artifical Trish: InterNet: jfh@rpp386.Dallas.TX.US | "Just say `No, Honey'" UucpNet : <backbone>!killer!rpp386!jfh +--------------------------------------
jbn@glacier.STANFORD.EDU (John B. Nagle) (11/10/88)
In article <16768@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes: >In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: >Firstly, there is no way that a virus would beam all passwords to >one central computer to be processed there. No reason that can't be done. Richey did it that way. >Secondly, your approach will no longer work with the advent of the >salt, the 12 random bits stored in the clear with the encrypted >password. You would have to encrypt the dictionary 4096 times, or be >content with cracking a much smaller portion of the password file. It >would be good to expand the salt to 36 bits, just to make sure that you >can't preencrypt even a small dictionary. It's not clear that the "salt" trick helps all that much. Bear in mind that Dennis Mumaugh works for NSA. He's telling us that the UNIX password encryption system is fundamentally insecure. Pay attention, people. John Nagle
honey@mailrus.cc.umich.edu (peter honeyman) (11/10/88)
Dennis L. Mumaugh writes: >... I encrypted the dictionary FIRST. Then it was one >encrypt and a fgrep. From start to finish (copy of /etc/passwd >until printing of list of lognames and password was 45 minutes!). where did you store the gigabyte file? how long did it take to generate it? (25,000 word dictionary, 4,096 salts, 11 byte output each.) peter
ok@quintus.uucp (Richard A. O'Keefe) (11/10/88)
In article <16768@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes: >Secondly, your approach will no longer work with the advent of the >salt, the 12 random bits stored in the clear with the encrypted >password. You would have to encrypt the dictionary 4096 times, or be >content with cracking a much smaller portion of the password file. It >would be good to expand the salt to 36 bits, just to make sure that you >can't preencrypt even a small dictionary. I'm afraid the salt is not much protection. I'm not going to explain why, but read the crypt(3) manual page carefully...
smb@ulysses.homer.nj.att.com (Steven M. Bellovin) (11/11/88)
In article <778@mailrus.cc.umich.edu>, honey@mailrus.cc.umich.edu (peter honeyman) writes: > where did you store the gigabyte file? how long did it take to > generate it? (25,000 word dictionary, 4,096 salts, 11 byte output > each.) You don't need to use all 4096 salts; you simply need the ones used on the target system. On my system, for example, that reduces the storage needed by a factor of about 20, which makes it easily manageable. One key mistake made in the encryption algorithm design is that a cracker can take shortcuts to speed up the encryption. One of the slowest parts of DES (in software) is the initial and final permutations. These are inverses of each other, however, which means that when iterating DES the inverse permutation of step I and the permutation of step I+1 cancel out, and can be omitted. Thus, only one initial permutation, and one final permutation, are needed, rather than 25 of each. (This isn't my idea, by the way; I know I've seen it elsewhere, probably in the fdes package posted to the net a few years ago.)
dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (11/11/88)
In article <17828@glacier.STANFORD.EDU> jbn@glacier.UUCP (John B. Nagle) writes: > Bear in mind that Dennis Mumaugh works for NSA. He's telling us >that the UNIX password encryption system is fundamentally insecure. Pay >attention, people. > > John Nagle John is a bit out of date: I used to work for NSA. I changed employment in 1984 and I now work for ATT, Data Systems Group, in their top tier UNIX System software support group. Hence my knowledge on UNIX security can be out of date with respect to the US Government. Also much of the tiger team was done in 1976 and my security work was done in 1978-81 and then some later in 1983. As far as the ATT UNIX System V I am not authorized to comment on security aspects except to mention that System V Release 3.2 does use shadow passwords so brute force decrytpion is possible only through administratoir error. 3.2 also prevents shells being executed by setuid programs (e.g. using the system(3) feature). When I WAS working for NSA we started re-eingineering the password system to allow pass phrases and a rather strict censor for determining whether a pass-phrase would be accepted. Even the current System V does have some criteria and it also does password ageing. BUT most Berkely derived systems haven't kept pace. -- =Dennis L. Mumaugh Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm@arpa.att.com
jbs@fenchurch.mit.edu (Jeff Siegal) (11/11/88)
In article <10835@ulysses.homer.nj.att.com> smb@ulysses.homer.nj.att.com (Steven M. Bellovin) writes: >You don't need to use all 4096 salts; you simply need the ones used >on the target system. It turns out that, due to a (apparent) bug in passwd.c, at least on Berkeley systems, only about 400 salts ever get used. Jeff Siegal
gwyn@smoke.BRL.MIL (Doug Gwyn ) (11/11/88)
In article <2182@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: >As far as the ATT UNIX System V I am not authorized to comment on >security aspects except to mention that System V Release 3.2 does >use shadow passwords so brute force decryption is possible only >through administrator error. It would be a great service to the community if specifications for this feature were posted or at least sent to developers who want to enable a similar feature on their (typically BSD-based) systems. For example, what is the shadow file called, what is its format, what sort of stuff is left in the password field in /etc/passwd, what facilities are there to validate a password against the shadow encrypted password file?
honey@mailrus.cc.umich.edu (peter honeyman) (11/11/88)
Steven M. Bellovin, my favorite coauthor, writes: >In article <778@mailrus.cc.umich.edu>, honey@mailrus.cc.umich.edu (peter honeyman) writes: >> where did you store the gigabyte file? how long did it take to >> generate it? (25,000 word dictionary, 4,096 salts, 11 byte output >> each.) > >You don't need to use all 4096 salts; you simply need the ones used >on the target system. On my system, for example, that reduces the >storage needed by a factor of about 20, which makes it easily manageable. steve, good buddy, that's not what he said. generating only the ones you need is the same as generating them as you need them. sure, you can drag old answers around with you and such, but eventually you end up with a gigabyte file. hell, i don't know if this is what he did. that's why i asked. peter
anders@suadb.UUCP (Anders Bj|rnerstedt) (11/11/88)
I would like to add: 6. A less blunt use of the set-user-id mechanism. Sendmail apparently needs to do rights amplification, but I dont see why it needs superuser rights. The uucp binaries have thier own owner/domain "uucp". Why cant the binaries related to mail have a similar domain "mail". I am sure there are other suid programs which are today owned by root, but which dont actually need full superuser priviliges. 7. It should be *possible* to physically write lock filesystems including the root file system. The disk write lock could perhaps be used, but the fact that it is tied to a device usually creates problems. What is needed is a physical togle for a logical concept: secure filesystems. It should be possible to place stable things like system programs in file systems marked "secure". The kernel (which would itself be placed in a secure filesystem) would only allow writes to a secure filesystem if a physical togle was in the "open" position. Normally the togle would be in the closed position. The togle is opened only when changes are really needed and requires a person to physically do it on-site. Sometimes this would be perceived as an inconvenience, but for those willing to pay the price it should be possible ------------------------------------ Anders Bjornerstedt Department of Computer & Systems Sciences University of Stockholm S-106 91 Stockholm Sweden INTERNET: anders@sisu.se OR anders%sisu.se@uunet.uu.net UUCP:{uunet,mcvax,cernvax}!enea!sics!sisus!anders.
dlm@cuuxb.ATT.COM (Dennis L. Mumaugh) (11/12/88)
In article <778@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman) writes: >Dennis L. Mumaugh writes: >>... I encrypted the dictionary FIRST. Then it was one >>encrypt and a fgrep. From start to finish (copy of /etc/passwd >>until printing of list of lognames and password was 45 minutes!). > >where did you store the gigabyte file? how long did it take to >generate it? (25,000 word dictionary, 4,096 salts, 11 byte output >each.) > I haven't done this in years, at the time I had a 300 meg disk to work with. Today my approach would be to analyze the salt and crypt to verify just which salts are valid [some are not valid or are rare]. Then I would build the dictionary of ~80000 entries plus variants. Then I would encrypt it with all salts. I have 4 3b20's and 30 3B2's and some have gigabytes of SCSI disks. [ 6250 tapes with 200 ips drives are also a possibilitiy]. Hence I can split the data into several places. All of this is done in advance. When the password file [or shadow] is found I split it into equivalence sets and send the entries for each set to the appropriate computer for munching. Hence to time to crack is the time to search each file. Don't forget that your estimate is off a bit too. I need the 13 byte encrypted version, a separator and then the plain text. Thus it is 22 bytes x 80,000 x 4096 or 7,208,960,000 bytes of storage. With say 20 cpus and only 400 real salts I need 36,044,800 bytes per machine. I can automate almost all of this and thanks to RFS and LAN's communcations isn't the problem. The time is that to fgrep the 36 Meg file on each machine. That runs about an hour depending on load and disk performance. The major point is that properly prepared one CAN crack passwords in less than an hour given adequate resources. -- =Dennis L. Mumaugh Lisle, IL ...!{att,lll-crg}!cuuxb!dlm OR cuuxb!dlm@arpa.att.com
jerry@olivey.olivetti.com (Jerry Aguirre) (11/12/88)
In article <2178@cuuxb.ATT.COM> dlm@cuuxb.UUCP (Dennis L. Mumaugh) writes: >Still a bad approach. A work factor assumes that one has do do >this on line. When Ken Thompson did his password attack he >sucked the password file back to his home system and did it >there. [Nowdays one could use a CRAY]. When I did my password >attacks I encrypted the dictionary FIRST. Then it was one >encrypt and a fgrep. From start to finish (copy of /etc/passwd >until printing of list of lognames and password was 45 minutes!). Several people have mentioned using a Cray to crack passwords. From what I have read, and from benchmark results, the Cray is not a very fast CPU for non-vector operations. So, unless the password encryption can be vectorized, the Cray is not likely to be very fast at doing it. Now maybe one of those Amdahl systems... Someone else posted that the Unix salt was really restricted to 400 values. I checked my (4.3BSD) systems. Out of 774 unique encryptions there were 702 unique salts. (Many times the same password is used on different systems so we copy it, salt and all.) I assume that the 400 salt bug either applies to some other version or is untrue. A larger salt would be a good idea though. Multi gigabyte, even terabyte storage is available today so a precomputed password dictionary, indexed for fast access, becomes more and more practical. Hiding the real passwords in a second copy of the /etc/password file that can only be read by root sounds easy to implement and should protect against private copies of crypt running. It also limits legitimate use of the password, the "gone" program for example. You also return to the situation the Unix password system was designed to avoid. If someone EVER gets root access, even if only read access, then they can mail the password file to themselvs. And how about that extra root dump you keep handy for booting systems? Is it locked up tight? My point is that this requires new procedures to fully implement it. Of course, even if it leaks, security is no worse than with publicly readable passwords. Me? I am fighting to get our users to use passwords, preferably something different from their login name. Jerry Aguirre
peter@ficc.uu.net (Peter da Silva) (11/13/88)
In article <8861@smoke.BRL.MIL>, gwyn@smoke.BRL.MIL (Doug Gwyn ) writes: > It would be a great service to the community if specifications for > this feature were posted or at least sent to developers who want > to enable a similar feature on their (typically BSD-based) systems. Based on the SV/386 version: > For example, what is the shadow file called /etc/shadow > , what is its format, Same as passwd, but only the username and password are filled in. > what sort of stuff is left in the password field in /etc/passwd, The letter 'x'. > what facilities are there to validate a password against the > shadow encrypted password file? I believe you have to be root to do this. There don't seem to be any facilities to do this for user programs, but I haven't read all the docs. -- Peter da Silva `-_-' Ferranti International Controls Corporation "Have you hugged U your wolf today?" uunet.uu.net!ficc!peter Disclaimer: My typos are my own damn business. peter@ficc.uu.net
rbj@nav.icst.nbs.gov (Root Boy Jim) (11/15/88)
From: peter honeyman <honey@mailrus.cc.umich.edu> Date: 10 Nov 88 05:40:29 GMT Sender: usenet@mailrus.cc.umich.edu Dennis L. Mumaugh writes: >... I encrypted the dictionary FIRST. Then it was one >encrypt and a fgrep. From start to finish (copy of /etc/passwd >until printing of list of lognames and password was 45 minutes!). where did you store the gigabyte file? how long did it take to generate it? (25,000 word dictionary, 4,096 salts, 11 byte output each.) peter In *core* on a Cray :-) (Root Boy) Jim Cottrell (301) 975-5688 <rbj@nav.icst.nbs.gov> or <rbj@icst-cmr.arpa> Careful with that VAX Eugene!
dwm@ihlpf.ATT.COM (Meeks) (11/18/88)
You can't stop people from coming up with ways to break into your information system. Not as long as more than one person has access. Two things I would suggest are: A VERY GOOD BACKUP SYSTEM, saving fulls for what may seem a very long time, like forever. Doing lot's of different level incrementals and then maybe a few project specific snapshots. Take pictures of your /, /usr, and /tmp. These pictures will include time stamps, ownership, size and checksum. Okay, how does this help? You can with the picture information monitor what is going on in important areas of your system and look for problems. When recovering, the several levels of incremental and project snapshots will come in handy if the virus is a particular nasty one. I would suggest you automate the picture taking and save your database in a safe place, remember it too could come under attack. Making a system secure at the risk of making it difficult to share information is poor use of time. It only costs those who use the system as a tool to get real work done. Security is all our responsibility and not to be taken lightly. Each of us need to use good passwords, terminal lock programs, and not put passwords on post-its which we then place on our terminals. Daniel W. Meeks, ...[att!]ihlpf!dwm, dwm@ihlpf.att.com --> These are my thoughts and not necessarily shared by my employer. <--
rbj@nav.icst.nbs.gov (Root Boy Jim) (11/18/88)
? From: Peter da Silva <peter@ficc.uu.net> ? > For example, what is the shadow file called ? /etc/shadow My first reaction is not to put it in /etc, or hide it with a dot, or call it something weird, but that doesn't really accomplish much. ? > , what is its format, ? Same as passwd, but only the username and password are filled in. Why not fill it all in? ? > what sort of stuff is left in the password field in /etc/passwd, ? The letter 'x'. Here I disagree. It just announces the existence of the shadow file. A better thing to do would be encrypt the password as usual, *and then select a random salt* to replace the salt it was encrypted with. That way, naive people can crack away to no avail. I note that you are reporting things the way they *are*; my comments are IMHO the way they *should be*. ? Peter da Silva `-_-' Ferranti International Controls Corporation ? "Have you hugged U your wolf today?" uunet.uu.net!ficc!peter ? Disclaimer: My typos are my own damn business. peter@ficc.uu.net (Root Boy) Jim Cottrell (301) 975-5688 <rbj@nav.icst.nbs.gov> or <rbj@icst-cmr.arpa> Crackers and Works -- Breakfast of Champions!
gwyn@smoke.BRL.MIL (Doug Gwyn ) (11/18/88)
In article <17575@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: >A better thing to do would be encrypt the password as usual, *and then >select a random salt* to replace the salt it was encrypted with. That >way, naive people can crack away to no avail. No, that's not right since it doesn't block the "snarf /etc/passwd and run trial passwords against it" approach. If you want to leave encrypted passwords in /etc/passwd please make sure that (a) they are encryptions of random gobbledook and (b) the verification scheme never accepts a match against /etc/passwd as validating a user under any circumstances. (The scheme Mumaugh described did.)
w-colinp@microsoft.UUCP (Colin Plumb) (11/18/88)
In article <17575@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: >? /etc/shadow > >My first reaction is not to put it in /etc, or hide it with a dot, or >call it something weird, but that doesn't really accomplish much. This is correct. *Real* security assumes the attacker knows as much as you do about the system. >? Same as passwd, but only the username and password are filled in. >Why not fill it all in? Because the other stuff is supposed to be world-readable - why bother keeping a copy which nobody needs? And the update synchronisation problems... >? > what sort of stuff is left in the password field in /etc/passwd, > >? The letter 'x'. > >Here I disagree. It just announces the existence of the shadow file. >A better thing to do would be encrypt the password as usual, *and then >select a random salt* to replace the salt it was encrypted with. That >way, naive people can crack away to no avail. I repeat: security assumes the attacker knows as much as you do. This is what's fundamentally right about the existing Unix password system. The *only* piece of information it's possible to extract from the system is whether user "foo" has password "bar". This applies no matter what knowledge of privelege level you have. Putting extra barriers in the face of the naive doesn't increase your real security one bit, and does distract you from your main goal. Indeed, this is why I'm against the idea of a shadow password file. It is physically possible to get at it, and so only discourages weak attacks which probably wouldn't succeed anyway, providing a false sense of security. Getting a copy of /etc/shadow may involve breaking into the computer room and stealing some backup tapes, but more likely a good Unix hack knows half a dozen ways to get a copy of a root-readable-only file. A bug in some setuid-root utility not vhecking to see if the ruid has the proper permissions before printing/mailing/uucp-ing/whatever the file? As it stands, the only thing that's worth getting at that way are the system sources, which lots of people have already. What *I* want is the VAX to run them on - or the next-best thing, a password on somebody else's VAX. If we keep the password function sufficiently simple that it can be computed in a reasonable amount of time (1/4 sec?) on an 11/750 or similar wimpy machine, assuming I have a Sun/4 (10 times as fast?) and a week or two to spend at it, the only way to stop me from guessing passwords is to expand the search space to more than 4*60*60*24*15*10 = 51840000 passwords. This is more than the number of 5-letter lower-case passwords, although significanly less than the number of 6-letter ones. If you add mixed case and whatnot, you have more possible passwords than any brute-force attempt can hope to attack. A more selective search must come up with a list of "probable" passwords. If you make passwords fit some strange pattern that bears no resemblance to anything else (as I suggested in my last posting, strip off the first and last characters, and require the remaining ones to contain an upper-case letter, a lower-case letter, and a digit), neither the people picking the passwords or the cracker has anything the password "should" resemble, so there's no word list a cracker can use, and very little data to build one from. Remember: on a Unix system, most routes to a root shell don't involve knowing the root password. So don't assume someone with root priveleges doesn't need to crack passwords. Make it hard even for root. (P.S. Personally, I'm not keen on passwords. Hooray for Der Mouse! But there's no point in having the annoyances, and not the advantages, of a properly done system.) -- -Colin (microsof!w-colinp@sun.com)
allbery@ncoast.UUCP (Brandon S. Allbery) (11/20/88)
As quoted from <556@suadb.UUCP> by anders@suadb.UUCP (Anders Bj|rnerstedt): +--------------- | 6. A less blunt use of the set-user-id mechanism. | Sendmail apparently needs to do rights amplification, | but I dont see why it needs superuser rights. The uucp +--------------- On networked systems, sendmail has to be able to listen on the SMTP network port -- which requires superuser permissions. +--------------- | 7. It should be *possible* to physically write lock filesystems | including the root file system. The disk write lock could +--------------- SunOS 4.x mounts / read-only, doesn't it? +--------------- | systems marked "secure". The kernel (which would itself be | placed in a secure filesystem) would only allow writes to | a secure filesystem if a physical togle was in the "open" | position. Normally the togle would be in the closed position. +--------------- Interesting thought. However, I think it should be reserved for heavy-duty security; such an arrangement, for example, would mean the end of ncoast. (Most of the maintenance on ncoast is done over the modem.) ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery <PREFERRED!> ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu <ALSO> allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@<backbone>.
chris@mimsy.UUCP (Chris Torek) (11/20/88)
In article <31@microsoft.UUCP> w-colinp@microsoft.UUCP (Colin Plumb) writes: >I repeat: security assumes the attacker knows as much as you do. This >is what's fundamentally right about the existing Unix password system. >The *only* piece of information it's possible to extract from the system >is whether user "foo" has password "bar". This applies no matter what >knowledge of privelege level you have. `Security' is not really an absolute. The security of a system can only be estimated, and even then, only with some assumptions in mind. While there is substantial merit in the existing scheme (which does not assume that `unreadable' shadow files are in fact unreadable), there is also considerable merit in multiple barriers. >Putting extra barriers in the face of the naive doesn't increase your real >security one bit, and does distract you from your main goal. Define `your real security'. We have people who more or less idly try to log in (`user fred, password fred; user mike, password mike; oh well, so much for that'), people who make a slightly more determined effort (get a listing of actual login names and full names, perhaps by reading over professors' shoulders, and work from that: these people usually find it simpler instead to get *paid* to use the machine: i.e., become an RA or TA), and, rarely, a real attack from someone who knows something about Unix systems. We already have adequate protection against the first two types---not perfect, but adequate; we would like to have protection against the third. Shadow password files are a step in that direction. They may not keep everyone out, but they are likely to help. Nothing we do will keep out the NSA, or even the Marines [hi rab! :-) ], but that is not our objective. Our objective is to keep out the `average' attacker, whose ability to decrypt Unix-style encrypted passwords is on the rise. >If we keep the password function sufficiently simple that it can be >computed in a reasonable amount of time (1/4 sec?) on an 11/750 or >similar wimpy machine, assuming I have a Sun/4 (10 times as fast?) and >a week or two to spend at it. . . . Would you like to suggest such a function? Software DES is nowhere near that hard. Besides, you may have access to a network of hundreds of machines hundreds of times faster, and more than just a week or two to spend. This is where shadow files, password aging, multi-level (`ring') schemes, ACLs, and (eventually) all the rest of the high level security schemes come in. They all have some cost; the proper design of a security system selects the one with the most value for the least cost. The value of shadow files is low, but so is the cost; it is (now, suddenly) seen as within our budget. (Actually, we are thinking of using the MIT Kerberos stuff instead, here. It has a somewhat higher cost, but has more value too.) -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris
rbj@nav.icst.nbs.gov (Root Boy Jim) (11/23/88)
>From Doug Gwyn ? In article <17575@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: ? >A better thing to do would be encrypt the password as usual, *and then ? >select a random salt* to replace the salt it was encrypted with. That ? >way, naive people can crack away to no avail. ? No, that's not right since it doesn't block the "snarf /etc/passwd ? and run trial passwords against it" approach. If you want to leave ? encrypted passwords in /etc/passwd please make sure that (a) they ? are encryptions of random gobbledook and (b) the verification ? scheme never accepts a match against /etc/passwd as validating a ? user under any circumstances. (The scheme Mumaugh described did.) My suggesting the resalting technique was an attempt to disguise the encryption. As it turns out, since the encryption algorithm is completely dense, I have unwittingly provided a target. I accept your (a) (altho why bother to encrypt at all?), and never suggested (b). (Root Boy) Jim Cottrell (301) 975-5688 <rbj@nav.icst.nbs.gov> or <rbj@icst-cmr.arpa> Crackers and Worms -- Breakfast of Champions!