A couple of random questions about login

Rejy M Cyriac rcyriac at redhat.com
Mon Sep 2 16:01:18 UTC 2013 

On 09/02/2013 09:12 PM, Bill Oliver wrote:
> 
> So, I was watching a TV show the other day where it was one of those
> things where the good guy tries to break into the bad guy's computer
> and, because of his great investigative skills, guesses that the
> password is a word a book from the bad guy's favorite author.  But,
> first, the good guy tried a couple of other obvious guesses -- the name
> of the bad guy's boat, etc.
> 
> My wife turned to me and said, "If I were the bad guy, I'd just have the
> computer delete everything if someone entered the boat name, or at least
> send me a text.  The boat was an obvious guess, and I would never
> accidentally type it in."
> 
> My answer was "That makes sense, but I have no clue about how to do it."
> 
> Now I can't get the idea out of my head.  Worse, I've realized that I
> don't know, at a process level, what happens when one types in a
> password.  Yes, I know about /etc/password and /etc/shadow files, and I
> know about encryption.  But I don't know step by step in terms of what
> processes do what when a password is entered.
> 
> So:
> 
> 1) What happens at a process level when one hits return after typing in
> a password?  Is everything handled by the kernel? Where is this described?

Only the hash of the password is stored in '/etc/shadow', and the hash
algorithms are one way functions. So you cannot 'decrypt' the hash to
get the original password. When the password is entered at the login
terminal, by default the 'pam_unix.so' PAM module is called, which
hashes the given password using the same hash algorithm used for the
stored password, and compares the resultant hash with the stored hash.
If it matches, the user is authenticated. Since hash values would be the
same for a given string across all systems, when the same hash function
is used, salted hash is used by default for passwords, to make it not
too obvious.

> 
> 2) Is it possible to script different responses to different (incorrect)
> passwords?
> 
> 

Theoretically, you could have this done, by using a PAM module designed
for this, to be run before the 'pam_unix.so' module, in
'/etc/pam.d/login' for terminal login, or for more wider use, in
'/etc/pam.d/system-auth'.


> Thanks,
> 
> billo
> 


-- 
Regards,

Rejy M Cyriac (rmc)

More information about the users mailing list