ch17.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,284 行 · 第 1/5 页

out on the desk, with the installation media available, you better take some precautions.
Otherwise, a kid can approach, halt the machine (with <TT>L1 + A</TT>), boot the
installation media (with <TT>b sd(0,6,2)</TT>), and proceed to overwrite your entire
disk. A malicious user could also perform this operation with almost any system (for
example, by changing the SCSI ID on the hard disk drive). AIX will boot from the
CD-ROM if it finds that all other disks are unsuitable for boot.</P>
<P>However, it is more often through the use of a boot floppy that system security
is breached. Typical examples of installation procedures that require a disk include
SolarisX86, some versions of AT&amp;T UNIX, some versions of SCO, and almost all
distributions of Linux. If you have such a system, secure those disks. (True, a malicious
user can acquire disk images from the Internet or other sources. However, this is
not nearly as convenient as having the disk readily available, in close proximity
to the workstation. Most onsite breaches are crimes of opportunity. Don't present
that opportunity.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>A fascinating approach
	to the problem of physical security of workstations is taken in a paper by Dr. J.
	Douglas Tygar and Bennet Yee, School of Computer Science at Carnegie Mellon University.
	This paper, <I>Dyad: A System for Using Physically Secure Coprocessors</I>, can be
	found online at <A HREF="http://www.cni.org/docs/ima.ip-workshop/www/Tygar.Yee.html"><TT>http://www.cni.org/docs/ima.ip-workshop/www/Tygar.Yee.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Before You Erect a Networked Machine</B></FONT></H2>
<P>Some definition is in order here, aimed specifically at those using SGI systems
(or any other system that is commonly used for graphics, design, or other applications
not generally associated with the Internet).</P>
<P>If you are running UNIX, your machine is networked. It makes no difference that
you haven't got a &quot;network&quot; (other than the Internet) connected to it.
UNIX is a networked operating system by default. That is, unless you otherwise disable
networking options, that machine will support most of the protocols used on the Internet.
If you have been given such a machine, used primarily for graphical projects, you
must either get a technician skilled in security or learn security yourself. By the
time that box is plugged into the Net, it should be secure. As I explained earlier
in this book, lack of security knowledge has downed the machines of many SGI users.
Windowed systems are great (and SGI's is truly beautiful to behold). However, at
the heart of such boxes is a thriving, networked UNIX.
<H2><FONT COLOR="#000077"><B>Out-of-the-Box Defaults</B></FONT></H2>
<P>In nearly every flavor of UNIX, there is some default password or configuration
that can lead to a root compromise. For example, at the beginning of this book, I
discussed problems with certain versions of IRIX. I will recount those here briefly.</P>
<P>The following accounts on some versions of IRIX do not require a password to login:

<UL>
	<LI><TT>lp</TT> (line printer)
	<LI><TT>guest</TT>
	<LI><TT>4Dgifts</TT>
	<LI><TT>demos</TT>
	<LI><TT>jack</TT>
	<LI><TT>jill</TT>
	<LI><TT>backdoor</TT>
	<LI><TT>tutor</TT>
	<LI><TT>tour</TT>
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>To review the default
	password problem more closely, refer to Silicon Graphics Inc., Security Advisory
	19951002-01-I; CERT Advisory CA-95:15--SGI <TT>lp</TT> Vulnerability. November 27,
	1995. <A HREF="ftp://sgigate.sgi.com/Security/19951002-01-I"><TT>ftp://sgigate.sgi.com/Security/19951002-01-I</TT></A>
	or <A HREF="ftp://info.cert.org/pub/cert_advisories/CA-95%3A15.SGI.lp.vul"><TT>ftp://info.cert.org/pub/cert_advisories/CA-95%3A15.SGI.lp.vul</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Such problems should be dealt with immediately upon installation. If you are unaware
of such weaknesses, contact your vendor or security organizations.
<H2><FONT COLOR="#000077"><B>Getting Down to Business: Password Security</B></FONT></H2>
<P>It is assumed that you are going to have more than one user on this machine. (Perhaps
you'll have dozens of them.) If you are the system administrator (or the person dictating
policy), you will need to set some standard on the use of passwords.</P>
<P>First, recognize that every password system has some inherent weakness. This is
critical because passwords are at the very heart of the UNIX security scheme. Any
compromise of password security is a major event. Usually, the only remedy is for
all users to change their passwords. Today, password schemes are quite advanced,
offering both encrypted passwords, and in certain instances password shadowing.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Password shadowing is where the
	<TT>/etc/passwd</TT> file contains only tokens (or symbols) that serve as an abstract
	representation for the user's real, encrypted password. That real password is stored
	elsewhere on the drive, in a place unreachable by crackers. 
<HR>


</BLOCKQUOTE>

<P>Some distributions do not have shadowing as a default feature. I am not presuming
here that you are installing the biggest and baddest UNIX system currently available
on the market. Maybe you are installing SunOS 4_1_3 on an old SPARC 1, or similarly
outdated hardware and software. (Or perhaps you are installing a Slackware version
of Linux that does not support shadowing in the current distribution.)</P>
<P>In such a case, the <TT>/etc/passwd</TT> file will be at least viewable by users.
True, the passwords are in encrypted form, but as you learned earlier, it is a trivial
task to crack them. If they can be viewed, they can be cracked. (Anything that can
be viewed can also be clipped and pasted. All that is required is some term package
that can be used to Telnet to your box. Once the <TT>/etc/passwd</TT> file can be
printed to <TT>STDOUT</TT>, it can be captured or otherwise copied.) This first needs
to be remedied.</P>
<P>Passwords in their raw, encrypted form should not be viewable by anyone. Modern
technology provides you the tools to hide these passwords, and there is no earthly
reason why you shouldn't. There was a time, however, when such hiding was not available.
In those olden days, bizarre and fantastic things did sometimes happen. In fact,
in the early days of computer technology, security was a largely hit-or-miss situation.
Here is an amusing story recounted by Robert Morris and Ken Thompson in their now-classic
paper <I>Password Security: A Case History:</I>

<DL>
	<DD>Experience with several earlier remote-access systems showed that lapses occur
	with frightening frequency. Perhaps the most memorable such occasion occurred in
	the early 60's when a system administrator on the CTSS system at MIT was editing
	the password file and another system administrator was editing the daily message
	that is printed on everyone's terminal at login. Due to a software design error,
	the temporary editor files of the two users were interchanged and thus, for a time,
	the password file was printed in every terminal when it was logged in.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B><I>Password Security:
	A Case History </I>can be found online at <A HREF="http://www.alw.nih.gov/Security/FIRST/papers/password/pwstudy.ps"><TT>http://www.alw.nih.gov/Security/FIRST/papers/password/pwstudy.ps</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Installing Password Shadowing</B></FONT></H2>
<P>If your system supports it, you need password shadowing. If you are using Linux,
you can get the Shadow Suite at <A HREF="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz"><TT>ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz</TT></A>.</P>
<P>For other systems, my suggestion is John F. Haugh II's shadow package. This package
is extensive in functionality. For example, not only does it provide basic password
shadowing, it can be used to age passwords. It can even restrict the port from which
<TT>root</TT> can log in. Moreover, it supports 16-character passwords (as opposed
to the traditional 8). This greatly enhances your password security, forcing crackers
to consume considerable resources to crack an even more complex password. Other features
of this distribution include the following:

<UL>
	<LI>Recording of failed login attempts<BR>
	<BR>
	
	<LI>A function to examine user passwords and evaluate their relative strengths<BR>
	<BR>
	
	<LI>Forced password prompts, even on null password logins
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Shadow is available at
	<A HREF="ftp://ftp.std.com/src/freeunix/shadow.tar.Z"><TT>ftp://ftp.std.com/src/freeunix/shadow.tar.Z</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>As a system administrator, you will also need a password cracker and a series
of wordlists. These tools will assist you in determining the strength of your users'
passwords.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Crack is available at
	<A HREF="ftp://coast.cs.purdue.edu/pub/tools/unix/crack/"><TT>ftp://coast.cs.purdue.edu/pub/tools/unix/crack/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Wordlists vary dramatically, in terms of language, type of word, and so forth.
Some consist only of proper names, and others consists of either all upper- or lowercase
characters. There are thousands of locations on the Net where these lists reside.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Two good starting places
	for wordlists are <A HREF="http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html"><TT>http://sdg.ncsa.uiuc.edu/~mag/Misc/Wordlists.html</TT></A>
	and <A HREF="ftp://coast.cs.purdue.edu/pub/dict/"><TT>ftp://coast.cs.purdue.edu/pub/dict/</TT></A>.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>If you keep password crackers
	on your local disks, make sure they are not accessible to anyone but you. The same
	is true of wordlists or any other tool that might conceivably be used against your
	system (or anyone else's, for that matter). Many security tools fit this description.
	Be sure to secure all security tools that could potentially enable a cracker. 
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Installing a Proactive Password Checking Program</B></FONT></H2>
<P>So, to recount, you have thus far performed the following operations:

<UL>
	<LI>Installed the software
	<LI>Defined the <TT>root</TT> password
	<LI>Defined the console password
	<LI>Physically secured the machine and installation media
	<LI>Installed password shadowing
</UL>

<P>Next, you will want to install a program that performs proactive password checking.
Users are generally lazy creatures. When asked to supply their desired password,
they will often pick passwords that can easily be cracked. Perhaps they use one of
their children's names, their birth date, or their department name. On systems without
proactive password checking, these characteristically weak passwords go unnoticed
until the system administrator &quot;gets around&quot; to checking the strength of
them with a tool such as Crack. By then it is often too late.</P>
<P>The purpose of a proactive password checker is to stop the problem before the
password gets committed to the <TT>passwd</TT> file. Thus, when a user enters his
desired password, before the password is accepted, it is compared against a wordlist
and a series of rules. If the password fails to meet the requirements of this process
(for example, it is found to be a weak password choice), the user is forced to make
another choice. In this way, at least some bad passwords are screened out at time
of submission.</P>
<P>The leading utility for this is passwd+, written by Matt Bishop. This utility
has been in fairly wide use, largely because of its high level of functionality.
It is a superb utility. For example, you can set the error message that will be received
when a user forwards a weak password. In other words, the user is not faced with
a cryptic &quot;your password is no good&quot; prompt, for this does not serve to
educate the user as to what is a weak or strong password. (Such messages would also
probably annoy the user. Users have little tolerance for a program that repeatedly
issues such an error message, even if the error is with the user and not the program.)
The program also provides the following: