Article Title: migrate from a hidden password to tcb in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The fact that Password Hiding has been an established standard for Linux products for many years is also true for the use of md5 passwords. However, there are also deficiencies in using the traditional Password Hiding method, and even md5 is not as secure as before.
One disadvantage of hiding the password file is that any application that needs to query individual hidden passwords (such as your password) can also see the hidden passwords of others, this means that any malicious tool that can read hidden files can obtain others' hidden passwords.
In addition to hiding, there is also an alternative method called tcb, which is written by the Openwall Project and can be obtained from the tcb homepage. Although some work is required to migrate to tcb, it is quite straightforward. Because only Openwall GNU/*/Linux, ALT Linux, and anw.x directly support tcb. To obtain tcb support for your selected products, you must edit several programs and install patches.
From the tcb site, you can download the tcb program and edit it with the relevant pam_tcb and nss_tcb libraries. You also need to install the glibc patch that supports crypt_blowfish (some products like SUSE may already support the blowfish password, so you do not need to patch it again ).
You may also want to patch the shadow-utils group, depending on the version of shadow-utils used by your product, you can obtain the required patch from the Openwall CVS shadow-utils 4.0.4.1 or the an1_x SVN repository 4.0.12. Shadow-utils in tools such as adduser and chage must be patched to provide tcb support. On the tcb page, there is a link to the latest crypt_blowfish that can be patched with glibc.
Once these prerequisites are met and tcb is compiled and installed, you only need to simply put/etc/pam. replace all the calls in the d/* file with pam_unix.so and/or pam_pwdb.so. Then you can use pam_tcb.so as in list.
List
Auth |
Required |
Pam_env.so |
Auth |
Required |
Pam_tcb.so shadow fork nullok prefix = $ 2a $ count = 8 |
|
|
|
Account |
Required |
Pam_tcb.so shadow fork |
Password |
Required |
Pam_passwdqc.so min = disabled, 12, 8, 6, 5 max = 40 passphrase = 3 match = 4 similar = deny random = 42 enforce = everyone retry = 3 |
Password |
Required |
Pam_tcb.so use_authtok shadow write_to = tcb fork nullok prefix = $ 2a $ count = 8 |
Session |
Required |
Pam_limits.so |
Session |
Required |
Pam_tcb.so |
|
If you want to continue using the md5 password instead of the blowfish password, remove the prefix = $ 2a $ count = 8 from the password line, and modify/etc/nsswitch. conf to change the hidden rows to read:
Shadow: tcb nisplus nis
Passwd programs need to hide sgid instead of suid root, and USE_TCB yes must be included in/etc/login. defs. After these steps are completed, you can run the/sbin/tcb_convert program to convert the hidden files into a single user file, which will be stored in/etc/tcb. After that, remove the/etc/shadow and/etc/shadow-files, and then your system can use tcb.
It may take some time to get tcb support, but it is a pity that more products do not provide support, and they neither have local support nor support through plug-ins. Using tcb, together with the blowfish password, will provide a much safer password system for your Linux product.