04-17-2019
Ravinder,
Many systems on the network require passwords to be stored in a flat file.
It's not always avoidable, so you can't say "NEVER NEVER DO THIS"... spoken much like someone who has not built a production application which uses clear text passwords.
Theory is not always the same in practice.
Normally, these kind of DB passwords are stored in plaintext in files which are hidden from users, so we must look at who has access to the system, the risk, the criticality of the application and other risk management factors.
Quote:
Originally Posted by
karumudi7
Yes, I understand and I use SSH keys for password-less connections.
But it is more like when you are interacting with other services like database etc.
This is correct. Many CMS programs like WordPress store the DB passwords in clear text in a flat configuration file.
These 2 Users Gave Thanks to Neo For This Post:
8 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
I'm finding the following command very tedious to type in all the time, so I created a one line bash script called mount.bash with the following contents:
mount -t cifs //mark/C\$ -o unc=//mark\\C$,ip=10.1.1.33,user=Administrator,password=$1 /mnt/mark
I don't like the fact that I have to put... (5 Replies)
Discussion started by: siegfried
5 Replies
2. Shell Programming and Scripting
Hi Unix experts....
I am in the process checking user and root password of more than 1000 servers manulay.
I am very pissed of checking these many servers manualy.
Could some one of you help me how can i check the passwords just by runing some scripts..!
Need Help Guys..! :confused: (5 Replies)
Discussion started by: bullz26
5 Replies
3. Solaris
Ok,
I am trying to install solaris, but I would like as a lean installation as possible (while still having a shread of functionality).
If I chose the minimal install I have little if no utilities to do work on the box.
My question is what installation method do most admins take?
... (7 Replies)
Discussion started by: liven
7 Replies
4. Shell Programming and Scripting
Hi
Most of the shell scripts I am dealing with have to connect to oracle database . The username password is stored in a environment file which sets the variables for username and password . Set user id do not work on AIX so users who will execute these scripts need to have read or execute... (5 Replies)
Discussion started by: clifford
5 Replies
5. Shell Programming and Scripting
Hi All ,
I need to call a script runscript_B.sh on server A, the runscript_B.sh script locating in server B.
The runscript_B.sh in calls another script runscript_A on server A itself.
it seend, i need to be connect from Server A to Server B using ssh.
I have tryed like this in... (3 Replies)
Discussion started by: koti_rama
3 Replies
6. UNIX for Advanced & Expert Users
I've been using various versions of UNIX and Linux since 1993, and I've never run across one that showed your password as you type it in when you log in, or one that stored passwords in plain text rather than encrypted. I'm writing a script for work for a security audit, and two of the... (5 Replies)
Discussion started by: Anne Neville
5 Replies
7. AIX
Does anyone know when AIX started using /etc/security/passwd instead of /etc/passwd to store encrypted passwords? (1 Reply)
Discussion started by: Anne Neville
1 Replies
8. UNIX for Advanced & Expert Users
Hi,
this question is not specially unix related, but I expect advanced and expert unix users to have a solution for this, and I've found no other subforum that fits ;)
what do you use to store accounts, customer ids, ip addresses, users and specially passwords, to access them from... (6 Replies)
Discussion started by: funksen
6 Replies
LEARN ABOUT LINUX
chpasswd
CHPASSWD(8) System Management Commands CHPASSWD(8)
NAME
chpasswd - update passwords in batch mode
SYNOPSIS
chpasswd [options]
DESCRIPTION
The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of
existing users. Each line is of the format:
user_name:password
By default the passwords must be supplied in clear-text, and are encrypted by chpasswd. Also the password age will be updated, if present.
By default, passwords are encrypted by PAM, but (even if not recommended) you can select a different encryption method with the -e, -m, or
-c options.
Except when PAM is used to encrypt the passwords, chpasswd first updates all the passwords in memory, and then commits all the changes to
disk if no errors occured for any user.
When PAM is used to encrypt the passwords (and update the passwords in the system database) then if a password cannot be updated chpasswd
continues updating the passwords of the next users, and will return an error code on exit.
This command is intended to be used in a large system environment where many accounts are created at a single time.
OPTIONS
The options which apply to the chpasswd command are:
-c, --crypt-method METHOD
Use the specified method to encrypt the passwords.
The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods.
By default, PAM is used to encrypt the passwords.
-e, --encrypted
Supplied passwords are in encrypted form.
-S, --stdout
Report encrypted passwords to stdout instead of updating password file.
-h, --help
Display help message and exit.
-m, --md5
Use MD5 encryption instead of DES when the supplied passwords are not encrypted.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
CAVEATS
Remember to set permissions or umask to prevent readability of unencrypted files by other users.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when
the number of rounds is not specified on the command line).
With a lot of rounds, it is more difficult to brute forcing the password. But note also that more CPU resources will be needed to
authenticate users.
If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.
If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used.
Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
configuration. It is recommended to set this variable consistently with the PAM configuration.
FILES
/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/login.defs
Shadow password suite configuration.
/etc/pam.d/chpasswd
PAM configuration for chpasswd.
SEE ALSO
passwd(1), newusers(8), login.defs(5), useradd(8).
System Management Commands 06/24/2011 CHPASSWD(8)