Migrate from a hidden password to tcb in Linux

Article Title: migrate from a hidden password to tcb in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As a fact standard for Linux products, hidden passwords have been used for many years. However, there are also deficiencies in using traditional hidden passwords, and even md5 is not as secure as before.

One disadvantage of the hidden password file is that any user program that needs to query individual hidden passwords (such as your password) can also see the hidden passwords of others, this means that any malicious tool that can read hidden files can obtain others' hidden passwords.

In addition to the potential, there is also an alternative method called tcb, which is written by the Openwall Project and can be obtained from the tcb homepage. Although some work is required to migrate to tcb, it is quite direct. Because only Openwall GNU/*/Linux, ALT Linux, and anw.x directly support tcb. To obtain tcb support for your selected products, you must edit multiple programs and patch them.

From the tcb site, you can download the tcb program and edit it with the relevant pam_tcb and nss_tcb libraries. You also need to install the glibc patch that supports crypt_blowfish (some products like SUSE may already support the blowfish password, so you do not need to patch it again ).

You may also want to patch the shadow-utils group, depending on the version of shadow-utils used by your product, you can obtain the required patch from the Openwall CVS shadow-utils 4.0.4.1 or the an1_x SVN repository 4.0.12. Shadow-utils in tools such as adduser and chage must be patched to provide tcb support. On the tcb page, there is a link to the latest crypt_blowfish that can be patched with glibc. Once these prerequisites are met and tcb is compiled and installed, you only need to basically set/etc/pam. replace all the calls in the d/* file with pam_unix.so and/or pam_pwdb.so. Then you can use pam_tcb.so as in list.

List Aauth

Required

Pam_env.soauthrequiredpam_tcb.so shadow fork nullok prefix = $ 2a $ count = 8 account

Requiredpam_tcb.so shadow forkpassword

Requiredpam_passwdqc.so min = disabled, 12, 8, 6, 5 max = 40 passphrase = 3 match = 4 similar = deny random = 42 enforce = everyone retry = 3 password

Requiredpam_tcb.so use_authtok shadow write_to = tcb fork nullok prefix = $ 2a $ count = 8 session

Requiredpam_limits.sosession

Requiredpam_tcb.so

If you want to continue using

The md5 password, instead of the blowfish password, is removed from the password line with prefix = $ 2a $ count = 8. At the same time, you also need to modify/etc/nsswitch. conf to change the hidden line to read:

Shadow: tcb nisplus nis

Passwd programs need to hide sgid instead of suid root, and USE_TCB yes must be included in/etc/login. defs. After these steps are completed, you can run the/sbin/tcb_convert program to convert the hidden files into a single user file, which will be stored in/etc/tcb. After that, remove the/etc/shadow and/etc/shadow-files, and then your system can use tcb.

It may take some time to get tcb support, but it is a pity that more products do not provide support, and they neither have local support nor support through plug-ins. Using tcb, together with the blowfish password, will provide a much safer password system for your Linux product.