Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is /etc/shadow safe?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 03, 2014 5:42 pm    Post subject: Is /etc/shadow safe? Reply with quote

I'm syncing my laptop with several other identical laptops which are used by other people. Are my own passwords in /etc/shadow safe?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 03, 2014 5:56 pm    Post subject: Reply with quote

/etc/shadow is fine, the hashed passwords are in /etc/passwd-. (not a typo, with a dash at the end).
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 03, 2014 8:47 pm    Post subject: Reply with quote

My hashed passwords appear to be in /etc/shadow and not /etc/passwd-. Either way, is the file containing them safe to distribute?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 03, 2014 9:00 pm    Post subject: Reply with quote

How did you manage that? Did you purposefully specify that? What is the ownership of that file? Your system may be insecure to begin with...

In any case, no, I wouldn't; http://www.openwall.com/john/doc/EXAMPLES.shtml
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 03, 2014 9:25 pm    Post subject: Reply with quote

I definitely did not do it on purpose, but it's like that on all of my systems so Gentoo must set it up that way:

-rw-r----- 1 root root 1158 Feb 26 09:55 /etc/shadow

Your link isn't working right now, but is the idea that someone could decipher the password if they have access to its hash?

Are there other files I should not distribute from a security or privacy perspective besides those in /home?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 03, 2014 9:55 pm    Post subject: Reply with quote

Actually, you are right. shadow and shadow- are the same files on my system too... I'll look into that.
But yeah, giving the expected hash to an attacker enables him to brute force the system too easily.

How are you syncing the pcs? just a cp/tar/dd? Same hardware?

To ensure no important info would leak out, I'd take the opposite approach: copy your world file after having done the basic install, emerge @world, then choose important /etc files to copy.
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 03, 2014 10:01 pm    Post subject: Reply with quote

OK, so the - version of /etc's group, shadow, passwd files are just backups, I was mistaken there.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 03, 2014 11:28 pm    Post subject: Reply with quote

Quote:
But yeah, giving the expected hash to an attacker enables him to brute force the system too easily.

Maybe I could counteract that by using really good passwords.

I'm syncing with rsync. Identical hardware. I'm really happy with the way it works, I just want to be careful of any stray files that shouldn't be distributed. Any others come to mind outside of /home?
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9058

PostPosted: Tue Mar 04, 2014 3:34 am    Post subject: Reply with quote

Anything in /etc needs to be given special consideration before syncing. As you know, some files in /etc are security-sensitive. Others may represent system-specific configuration, such as preference on which services to start, how to configure the network, and so on. Identical hardware does not guarantee identical software usage, so even if the files can be shared, that may not be the right choice.
Back to top
View user's profile Send private message
szatox
Guru
Guru


Joined: 27 Aug 2013
Posts: 392

PostPosted: Tue Mar 04, 2014 8:28 am    Post subject: Reply with quote

Why you're syncing those laptops?
If you want to save some compilation time, you can use portage to build binary packages and then install them (with portage) on the rest.
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Tue Mar 04, 2014 8:33 am    Post subject: Reply with quote

If your concern is build time, look into this instead: https://wiki.gentoo.org/wiki/Binary_package_guide#Creating_binary_packages

As for etc configuration, I keep the files that are modified in a git, and sync that with other PC's etc. I do it with files like /etc/portage, X11.
I'm the user of both those PCs, so I also have sudo, sshd, polkit & firewall rules. Be careful before sharing those, there could be sensitive information in them (mainly if they're badly configured).
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1241
Location: 42.68n 85.41w

PostPosted: Tue Mar 04, 2014 9:30 am    Post subject: Reply with quote

http://www.linuxsolutions.fr/annvix-using-the-tcb-shadow-alternative/

http://www.openwall.com/tcb/

i remember seeing something about shadow being compromised a while ago.

http://felinemenace.org/~andrewg/configuring_gentoo_to_use_openwall_tcb/

brew me up a wiki so i can sleep and get drunk instead of fixing it myself.
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Tue Mar 04, 2014 2:05 pm    Post subject: Reply with quote

Quote:
Anything in /etc needs to be given special consideration before syncing. As you know, some files in /etc are security-sensitive.

Which are potentially security-sensitive besides /etc/shadow?

Quote:
Others may represent system-specific configuration, such as preference on which services to start, how to configure the network, and so on. Identical hardware does not guarantee identical software usage, so even if the files can be shared, that may not be the right choice.

That's for sure.

Quote:
Why you're syncing those laptops?
If you want to save some compilation time, you can use portage to build binary packages and then install them (with portage) on the rest.

I want to be able to change and maintain a whole slew of laptops by only changing and maintaining my own. Since the hardware is identical, it really isn't necessary to use portage beyond the "master" laptop.

Quote:
I do it with files like /etc/portage, X11.
I'm the user of both those PCs, so I also have sudo, sshd, polkit & firewall rules. Be careful before sharing those, there could be sensitive information in them (mainly if they're badly configured).

What kind of info could be sensitive there?

Quote:
http://www.openwall.com/tcb/

So tcb is meant to mitigate the kind of risk I'm running into with sharing /etc/shadow? Is it in portage under another name?
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1241
Location: 42.68n 85.41w

PostPosted: Tue Mar 04, 2014 9:37 pm    Post subject: Reply with quote

i think tcb is what you're after.... tcb is NOT in portage or in any overlays that i could find. zunga says its sys-auth/tcb like it did have it at one time. x86 x86 x86 maybe its because im amd64 that im not seeing it?

http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-auth/tcb/?hideattic=0

https://bugs.gentoo.org/show_bug.cgi?id=371167

last comment of the bug says use hardened shadow instead of tcb.

https://code.google.com/p/hardened-shadow/

im not selinux or hardened so idk whats what.... im just digging for info, and sharing what im finding.
_________________
cat /etc/*-release
Funtoo Linux - baselayout 2.2.0
consider this warning no. 1
https://wiki.gentoo.org/index.php?title=Special:Contributions/666threesixes666&offset=&limit=500&target=666threesixes666
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9058

PostPosted: Tue Mar 04, 2014 10:19 pm    Post subject: Reply with quote

grant123 wrote:
Quote:
Anything in /etc needs to be given special consideration before syncing. As you know, some files in /etc are security-sensitive.

Which are potentially security-sensitive besides /etc/shadow?
PPP / VPN configuration is often stored under /etc, and parts of that are security-sensitive.
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 617
Location: DC Burbs

PostPosted: Wed Mar 05, 2014 4:55 am    Post subject: security relevant Reply with quote

/etc/shadow and /etc/gshadow for dictionary attacks.

/etc/ssh for the private host keys (the not .pub key files)

/etc/security/opasswd for password history database maintained by pam_unix

Those would be ones I care about in auditd for failed read access attempts. I also care about failed and any successful writes to anything in /etc.

If you run a dns server you will probably want to watch /etc/bind/rndc.key


Last edited by vaxbrat on Wed Mar 05, 2014 11:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Wed Mar 05, 2014 10:56 pm    Post subject: Reply with quote

Quote:
use hardened shadow instead of tcb

hardened-shadow looks like a great thing and it's in portage, but it says:

"Do not use hardened-shadow in production yet. Public auditing process after the first release is likely to detect several security holes. And the codebase needs to mature a bit. Contributors and early adopters are very welcome at this point."

http://code.google.com/p/hardened-shadow/

Quote:
PPP / VPN configuration is often stored under /etc, and parts of that are security-sensitive.

I don't use PPP or VPN.

Quote:
/etc/sshd for the private host keys

I had no idea those keys were in /etc/ssh. What are they used for?

Quote:
/etc/security/opasswd for password history database maintained by pam_unix

I don't have that file.

Quote:
If you run a dns server you will probably want to watch /etc/bind/rndc.key

I don't run a DNS server and I don't have that file.

Thanks to all for helping me lock this down.
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 617
Location: DC Burbs

PostPosted: Wed Mar 05, 2014 11:45 pm    Post subject: ssh keys and opasswd Reply with quote

The keys in /etc/ssh are generated the first time you run sshd on the host and are then used to prevent man in the middle attacks. When you first ssh into another box and get that "I don't know who this is, do you want to continue?" type prompt, its the host keys that are used to figure this out. The known_hosts files that end up in your user .ssh directories contain the public key from that pair for each host you know about.

You probably won't see the opasswd on a default install. It doesn't get needed unless you set the "remember=n" stanza on pam_unix in the password section of the pam system-auth file. It then stores the hashes of passwords that users create when they go through a change password. It gets referenced to rub their noses in it when they attempt to recycle an old password that they've used in the last n changes.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Thu Mar 06, 2014 2:04 am    Post subject: Reply with quote

Quote:
The keys in /etc/ssh are generated the first time you run sshd on the host and are then used to prevent man in the middle attacks. When you first ssh into another box and get that "I don't know who this is, do you want to continue?" type prompt, its the host keys that are used to figure this out. The known_hosts files that end up in your user .ssh directories contain the public key from that pair for each host you know about.

I'll exclude /etc/ssh/ssh_host_*.

Quote:
You probably won't see the opasswd on a default install. It doesn't get needed unless you set the "remember=n" stanza on pam_unix in the password section of the pam system-auth file. It then stores the hashes of passwords that users create when they go through a change password. It gets referenced to rub their noses in it when they attempt to recycle an old password that they've used in the last n changes.

I'll exclude /etc/security/opasswd in case I start using it in the future.

It sounds like /etc/shadow is the only sticking point left. Would you guys share /etc/shadow on your LAN or use hardened-shadow?

Quote:
"Do not use hardened-shadow in production yet. Public auditing process after the first release is likely to detect several security holes. And the codebase needs to mature a bit. Contributors and early adopters are very welcome at this point."

http://code.google.com/p/hardened-shadow/
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 10, 2014 4:34 pm    Post subject: Reply with quote

Any opinions on that last one?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 10, 2014 4:51 pm    Post subject: Reply with quote

Quote:
It sounds like /etc/shadow is the only sticking point left. Would you guys share /etc/shadow on your LAN or use hardened-shadow?

No, don't share that file. Hardened shadow doesn't seem ready for production. You could edit the file, remove the password hashes, and recreate them on each machine.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 10, 2014 6:57 pm    Post subject: Reply with quote

Now that I think about it, I'm not sure what the problem is. /etc/shadow is root:root -rw-r----- so other users can't read it. Is the danger someone booting a USB stick and reading the file that way?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 10, 2014 7:12 pm    Post subject: Reply with quote

Yes, of course that's a problem. They might even get root access in other ways. They could boot in single user mode. They could exploit a future vulnerability that will be documented in glsa.
We told you it's a bad idea, why are you insisting? At this point, just do what you want.

If security is an issue, you shouldn't be doing this. Separate /etc's, just use binary packages. If you're doing this to share with trustworthy family and friends, sure, why not, but then security isn't an issue.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 771

PostPosted: Mon Mar 10, 2014 9:36 pm    Post subject: Reply with quote

I'm not only trying to keep my systems secure. I'm also trying to learn about securing them. I appreciate your help but please don't expect me to follow instructions without understanding why I'm following them.

Having said that, thank you for elaborating. Isn't /etc/shadow vulnerable in these ways on every system with user accounts?
Back to top
View user's profile Send private message
SirRobin2318
Apprentice
Apprentice


Joined: 24 Apr 2004
Posts: 213
Location: Strasbourg, france.

PostPosted: Mon Mar 10, 2014 10:02 pm    Post subject: Reply with quote

If you are trying to keep these systems secure you are going about it the wrong way.

Cloning everything and trying to find problematic files is bad. You'd have to know what every file contains. This is not an easy goal. Not only it's not easy but human errors happen, even with loads of experience you would mess up. To limit the amount of information leaking out, you should be taking the problem the other way around: What files am I sure I can share without leaking sensitive data? Sharing everything by default is a Bad Idea.

/etc/shadow has a relatively sane security logic. You could share it and maybe nobody would be able to hack into it. But there are tools that are dead easy to use to exploit any weakness in your choice of passwords. It might take months, but it could work. Why take the chance?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum