Newsgroups: news.sysadmin
Path: utzoo!henry
From: henry@utzoo.uucp (Henry Spencer)
Subject: Re: How to stop future viruses.
Message-ID: <1988Nov10.172126.27002@utzoo.uucp>
Organization: U of Toronto Zoology
References: <16722@agate.BERKELEY.EDU>
Date: Thu, 10 Nov 88 17:21:26 GMT

In article <16722@agate.BERKELEY.EDU> greg@math.Berkeley.EDU (Greg) writes:
>1.  Protect the password file.

As a number of people have already mentioned, this is a lousy idea because
some of the other information in there is important.  The thing to do is
to get the passwords out of there and off somewhere else, somewhere that
is protected.  For good measure, put random pseudo-passwords in /etc/passwd
to waste the time of would-be crackers.

>2.  Strengthen crypt(3).
>...The obvious solution is to optimize crypt(3) as much as possible, and
>then decide how many encryption passes there should be...

There are two problems with this.  First, while the password encryption
algorithm ought to be slow enough to interfere with brute-force searches,
it *must* be fast enough to run in a tolerable length of time on the
small, slow machines that still run many Unixes.  This is a difficult
compromise.  A cheaper way to make brute-force searches unproductive is
to work hard on convincing users to use passwords that such a search won't
find easily.  Passwd should (and does, on some systems) simply refuse to
allow anything in /usr/dict/words as a password, which instantly kills
the usefulness of dictionary-based searches.  The second problem is that
multiple encryption isn't necessarily any better than single encryption;
it's sometimes possible to devise an algorithm that does the multiple
encryption in a single step.  I don't know that anybody has done this for
DES, but the possibility should not be ignored.

>The read status of user directories is the most obvious and inviting
>Unix security bug there is...

Unfortunately, it is also very valuable to many sites, hence many people
are reluctant to do this.
-- 
Sendmail is a bug,             |     Henry Spencer at U of Toronto Zoology
not a feature.                 | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
