30
Chapter 4. Workstation Security
image=/boot/vmlinuz version
password=password
If you want to allow booting a kernel or operating system without password verification, but do not
want to allow users to add arguments without a password, you can add the
restricted
directive on
the line below the password line within the stanza. Such a stanza will begin similar to this:
image=/boot/vmlinuz version
password=password
restricted
If you use the
restricted
directive, you must have a password line in the stanza.
Warning
The /etc/lilo.conf file is world readable. If you are password protecting LILO, it essential that you
only allow root to read and edit the file since all passwords are in plain text. To do this, type the
following command as root:
chmod 600
/etc/lilo.conf
4.3. Password Security
Passwords are the primary way Red Hat Linux verifies that the user logging into the system is who
he claims to be. This is why password security is enormously important for protection of the user, the
workstation, and the network.
For security purposes, the Red Hat Linux installation program defaults to using the Message Digest
Algorithm (MD5) and shadow passwords. It is highly recommended that you do not alter these set 
tings.
If you deselect MD5 passwords during installation, the older Data Encryption Standard (DES) for 
mat is used. This format limits passwords to eight alphanumeric character passwords (disallowing
punctuation and other special characters) and provides a modest 56 bit level of encryption.
If you deselect shadow passwords, all user passwords will be stored as a one way hash in the world 
readable file
/etc/passwd
. This opens up your system to offline password cracking attacks. If an
intruder can gain access to the machine as a regular user, he can view the
/etc/passwd
file and run
any number of password cracking programs against it on his own machine. If there is an insecure
password in the file, it is only a matter of time before the password cracker discovers it.
Shadow passwords eliminate this type of attack by storing the password hashes in the file
/etc/shadow
which is readable only by the root user.
This forces a potential attacker to attempt password cracking remotely by logging into a network
service on the machine, such as SSH or FTP. This sort of brute force attack is much slower and leaves
an obvious trail as hundreds of failed login attempts will appear in the log files. Of course, if the
cracker starts an attack in the middle of the night and you have weak passwords, he may have gained
access before dawn.
Beyond matters of format and storage is the issue of content. The single most important thing a user
can do to protect his account is create a strong password, which make it less susceptible to a password
cracking attack.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved