Shulou(Shulou.com)06/01 Report--

Editor to share with you how to migrate from hidden passwords to tcb in Linux, I believe most people do not know much about it, so share this article for your reference. I hope you will learn a lot after reading this article. Let's learn about it together.

Hidden passwords have been an established de facto standard for Linux products for many years, and so is the use of md5 passwords. However, there are shortcomings in using traditional hidden passwords, and even md5 is not as secure as it used to be.

One of the disadvantages of hidden password files is that any user program that needs to query individual hidden passwords (such as your password) can also see other people's hidden passwords. This means that any malicious tool that can read hidden files can obtain other people's hidden passwords.

In addition to the potential, there is an alternative called tcb, which is written by Openwall Project and is available from the tcb home page. Migrating to tcb requires some work, but it is quite straightforward. Because only Openwall GNU/*/Linux, ALT Linux, and Annvix directly support tcb. To get tcb support for the circulation product of your choice, you must re-edit multiple programs and patch them.

From the tcb site, you can download the tcb program and edit it with the related pam_tcb and nss_ TCB libraries. You also need to patch glibc that supports crypt_blowfish (some products like SUSE may already support blowfish passwords, so you don't need to patch them any more).

You may also want to patch the shadow-utils group; depending on the version of shadow-utils your product uses, you can get the required patch from Openwall CVS for shadow-utils 4.0.4.1 or from the Annvix SVN repository for 4.0.12. Shadow-utils in tools like adduser, chage, etc., needs to be patched to provide tcb support. On the tcb page, there is a link to * crypt_blowfish that can be patched with glibc. Once these prerequisites are met and tcb is compiled and installed, you can basically replace all calls in the / etc/pam.d/* file with pam_unix.so and / or pam_pwdb.so. Then you can use pam_tcb.so as shown in listing A.

List Aauth

Required

Pam_env.soauthrequiredpam_tcb.so shadow fork nullok prefix=$2a$ count=8account

Requiredpam_tcb.so shadow forkpassword

Requiredpam_passwdqc.so min=disabled,12,8,6,5 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3password

Requiredpam_tcb.so use_authtok shadow write_to=tcb fork nullok prefix=$2a$ count=8session

Requiredpam_limits.sosession

Requiredpam_tcb.so

If you want to continue to use

The md5 password, instead of the blowfish password, removes the prefix=$2a$ count=8 entry from the password line. At the same time, you also need to modify / etc/nsswitch.conf so that the hidden line can be read again:

Shadow: tcb nisplus nis

Passwd programs need to be sgid hidden, not suid root, and / etc/login.defs should include USE_TCB yes. Once this is done, you can execute the / sbin/tcb_convert program to convert the hidden files into appropriate single user files, which will be stored in / etc/tcb/. After you've done this, remove the / etc/shadow and / etc/shadow- files, and your system can use tcb.

It may take some effort to get tcb support, but unfortunately more products do not provide support, which is neither native nor supported through plug-ins. Using tcb, along with blowfish passwords, will provide a much more secure password system for your Linux products.

The above is all the contents of the article "how to migrate from hidden passwords to tcb in Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.