checking SHADOW passwords

Tim Lavoie tim.lavoie at mts.net
Wed Mar 29 17:20:27 CEST 2000


In article <8brth0$t7v$1 at la-mail4.digilink.net>, Pete Shinners wrote:

>actually, does anyone know if i can even get at the shadowed
>passwords without ROOT access? i'm suddenly afraid all hope
>is lost...

Nope, that is the whole point of shadow passwords. Without shadowing, anyone
can get the file and attempt a brute-force crack. While the encryption is
only one-way (you can't decrypt), you can encrypt a huge number of words and
their permutations, and see if they match the file's contents...

>i suppose i could connect to a POP socket and test the
>password there. HA! surely there is a better way.

Ick... If you have root access, you can simply get at the shadow file and
test as mentioned to look for bad passwords. If you don't, you will find
yourself getting spanked for trying.

-- 
The idea that an arbitrary naive human should be able to properly use a given
tool without training or understanding is even more wrong for computing than
it is for other tools (e.g. automobiles, airplanes, guns, power saws).
                -- Doug Gwyn



More information about the Python-list mailing list