What Linus actually did and how safe the passwords are in Linux KERNEL?

chekkizhar

Hi,

Recently, I am confused with some concepts in Linux,

1. When I read man pages some pages have the author names. And the commercial apps like vlc, Mozilla and so on are from concern manufactures. Most of apps are under developed by some one or by community and integrated with Distributions.

so, What exactly Torvalds did/wrote ? In other words, what exactly the Linux Kernel is?

If I use "c" pgms and some device drivers for my use, Can I say that I use Linux or I know Linux ?

Bcoz, most of the questions out here in other posts are totally new to me, and making me to think that

for my "c" pgm , I am using a Linux distribution which has "gcc", and am not using/learning Linux? right?

2. Linux kernel source is an open source. So, how the passwords are protected ? If a person see the code section of password storing, can't that person do reverse operation to get the password ?

mfillpot

1. Linus was the first person to write drivers for the Linux kernel, however most kernel components are now written by others and approved by Linus and his team. The Linux kernel itself is a set of drivers that tell the software how to interact with the hardware. By using an operating system that uses the Linux kernel you are using Linux, however the tools that various distros/operating system choose to use differ so the management tools may differ for different linux based distributions.

2. The passwords are stored using a one-way hash function so ideally they cannot be reverse engineered as covered in http://www.ibiblio.org/pub/linux/docs/howto/other-formats/html_single/Shadow-Password-HOWTO.html#s2 . Pretty much as secure operations that use passwords implement a one-way hash so that it cannot be reversed, however if someone has the hash they can run a hash table using the same mechanism and compare values to find the original password string.

chekkizhar

1. Thanks. It feels better that I can say I use Linux

2. Hmm... That is interesting to read that link. Need to read more about how passwords are managed .
And if possible, if you get time, edit the post with a space b/w "in" and the link.

May be some people directly hit the link without seeing properly and wont get anything.

Thanks Matt,

mfillpot

the link has been corrected, sorry for my typo.

marc

1 - Linux wrote the first lines of the KERNEL(=linux), that is the specific software to "talk" to the hardware (and many many other things)
2 - A kernel has nothing to do with passwords, that's an applications problem

chekkizhar

Marc:
1. so, actually kind of Device Drivers?
I searched in net and it is going on......

2. Is it? so, whats your opinion about the best Application that you know for passwords ?

Thanks you both guys...

woboyle

Linux allows a number of methods for password management. The default is local one-way salted hash using a 56-bit DES encryption. There are also other methods, such as NIS and LDAP single sign-on methods, that can be swapped in so that when you create a user on Linux, you are also authenticated for other systems, as well as for Windows. The default Linux "useradd" system command will use the appropriate method that your system is configured for, so your admin can always use the same commands to create new user accounts, and be sure that it will "do the right thing". Of course, the default local account won't allow you access to other systems in your network, and that is the entire point of "single sign-on" methods, because we are all connected to networks of computers these days, and often need to access different systems to do different jobs, and don't REALLY want to remember a bunch of different user ID's and passwords, do we? :-) My company has a single sign-on configuration, so my assigned user ID and password work with ANY system that I am authorized to access, be they Windows, Linux, or other, and we have over 100,000 employees! So, in my job, I can access ANY authorized company system with just one user ID and password. Of course, we have test systems/networks that I access which are not connected to the single sign-on infrastructure, so we have to use different user IDs and passwords for those, but that is the exception, rather than the rule.

marc

1- Hardware - linux kernel (core of the OS) - OS - Applications
2- Again: the kernel has nothing to do with managing passwords. It's the OS (or an app) that deals with it.

@Rubberman: *NO*, there's no DES encryption by default in any system (for password management that is). DES is really easy to break and, besides, passwords should be managed by *hash* algorthyms (not encryption).

NIS vs LDAP vs local use the same method: hashed passwords (usually salted)

The way you "consult" the information is different though

Regards

woboyle

Actually Marc, I'm not 100% positive about Linux, but the standard password encryption for Unix was 56-bit DES using a salt value as a random seed. I know, because I had to port that stuff to multiple operating systems. The last time I had to do that was in the early 90's - back in the late Jurassic era of modern computing... :-) Ok. Back in 1995 when I had to port some software that had to generate those hashes to the Dec Alpha processor systems running True64 Unix.

woboyle

And if you are interested, I can send you the source code.

marc

If we are talking about what's in /etc/passwd or /etc/shadow I doubt UNIX has ever used DES (which is encription)

You must be refering to md5 (which is a hash mechanism)

Anyway, MD5 has been declared insecure as well (that means it's easily breakable). Most systems come out of the box with salted SHA512 functions for storing passwords

As an example, from my running machine:

cat /etc/pam.d/passwd
#%PAM-1.0
password        required        pam_unix.so sha512 shadow nullok

woboyle

I refer to what's in /etc/shadow. I'm at work right now, but I will look up the code this weekend and show you that it DOES use DES-56 to create the encrypted password. At the time, we even had to get DOC approval to export the code outside of the USA, which was kind of useless as everyone and their dog already had the DES-56 sources.