Answer: Some people think it is better to disable the ability to load device drivers using modules, because an intruder could load a Trojan module or a module that could affect system security.
However, in order to load modules, you must be root. The module object files are also only writable by root. This means the intruder would need root access to insert a module. If the intruder gains root access, there are more serious things to worry about than whether he will load a module.
Modules are for dynamically loading support for a particular device that may be infrequently used. On server machines, or firewalls for instance, this is very unlikely to happen. For this reason, it would make more sense to compile support directly into the kernel for machines acting as a server. Modules are also slower than support compiled directly in the kernel.
Answer: See Root Security. This is done intentionally to prevent remote users from attempting to connect via telnet
to your machine as root
, which is a serious security vulnerability, because then the root password would be transmitted, in cleartext, across the network. Don't forget: potential intruders have time on their side, and can run automated programs to find your password.
Answer:
To enable shadow passwords, run pwconv
as root, and /etc/shadow
should now exist, and be used by applications. If you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd
to shadow passwords without any other change.
Some background: shadow passwords is a mechanism for storing your password in a file other than the normal /etc/passwd
file. This has several advantages. The first one is that the shadow file, /etc/shadow
, is only readable by root, unlike /etc/passwd
, which must remain readable by everyone. The other advantage is that as the administrator, you can enable or disable accounts without everyone knowing the status of other users' accounts.
The /etc/passwd
file is then used to store user and group names, used by programs like /bin/ls
to map the user ID to the proper username in a directory listing.
The /etc/shadow
file then only contains the username and his/her password, and perhaps accounting information, like when the account expires, etc.
To enable shadow passwords, run pwconv
as root, and /etc/shadow
should now exist, and be used by applications. Since you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd
to shadow passwords without any other change.
Since you're interested in securing your passwords, perhaps you would also be interested in generating good passwords to begin with. For this you can use the pam_cracklib
module, which is part of PAM. It runs your password against the Crack libraries to help you decide if it is too-easily guessable by password-cracking programs.
Answer:
You might also try ZEDZ net which has many pre-built packages, and is located outside of the United States.
Answer: The Red Hat distribution, especially RH5.0, contains a great number of tools to change the properties of user accounts.
pwconv
and unpwconv
programs can be used to convert between shadow and non-shadowed passwords.pwck
and grpck
programs can be used to verify proper organization of the passwd
and group
files.useradd
, usermod
, and userdel
programs can be used to add, delete and modify user accounts. The groupadd
, groupmod
, and groupdel
programs will do the same for groups.gpasswd
.All these programs are "shadow-aware" -- that is, if you enable shadow they will use /etc/shadow
for password information, otherwise they won't.
See the respective man pages for further information.
I bet you didn't know about http://www.apacheweek.org, did you?
You can find information on user authentication at http://www.apacheweek.com/features/userauth as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html