Linux Security HOWTO : Password Security and Encryption
Previous: Trojan Horses
Next: PGP and Public-Key Cryptography

6. Password Security and Encryption

One of the most important security features used today are passwords. It is important for both you and all your users to have secure, unguessable passwords. Most of the more recent Linux distributions include passwd programs that do not allow you to set a easily guessable password. Make sure your passwd program is up to date and has these features.

In-depth discussion of encryption is beyond the scope of this document, but an introduction is in order. Encryption is very useful, possibly even necessary in this day and age. There are all sorts of methods of encrypting data, each with its own set of characteristics.

Most Unicies (and Linux is no exception) primarily use a one-way encryption algorithm, called DES (Data Encryption Standard) to encrypt your passwords. This encrypted password is then stored in (typically) /etc/passwd (or less commonly) /etc/shadow. When you attempt to login, the password you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Although DES is a two-way encryption algorithm (you can code and then decode a message, given the right keys), the variant that most Unixes use is one-way. This means that it should not be possible to reverse the encryption to get the password from the contents of /etc/passwd (or /etc/shadow).

Brute force attacks, such as "Crack" or "John the Ripper" (see Section refnam) can often guess passwords unless your password is sufficiently random. PAM modules (see below) allow you to use a different encryption routine with your passwords (MD5 or the like). You can use Crack to your advantage, as well. Consider periodically running Crack against your own password database, to find insecure passwords. Then contact the offending user, and instruct him to change his password.

You can go to http://consult.cern.ch/writeup/security/security_3.html for information on how to choose a good password.

6.1. PGP and Public-Key Cryptography

6.2. SSL, S-HTTP and S/MIME

6.3. Linux IPSEC Implementations

6.4. ssh (Secure Shell) and stelnet

6.5. PAM - Pluggable Authentication Modules

6.6. Cryptographic IP Encapsulation (CIPE)

6.7. Kerberos

6.8. Shadow Passwords.

6.9. "Crack" and "John the Ripper"

6.10. CFS - Cryptographic File System and TCFS - Transparent Cryptographic File System

6.11. X11, SVGA and display security

6.11.1. X11
6.11.2. SVGA
6.11.3. GGI (Generic Graphics Interface project)

Linux Security HOWTO : Password Security and Encryption
Previous: Trojan Horses
Next: PGP and Public-Key Cryptography