Using Passwords on Servers

Many servers use passwords to control access to the computer. For such servers, password maintenance, as described in the "Choosing Good Passwords" section of Chapter 18, is extremely important. Most servers use the main Linux password database, so setting user passwords with passwd handles them all. A few servers, though, use their own password databases. For instance, Samba (covered in Chapter 24, "Sharing Files") can use either the Linux password database for unencrypted passwords or its own password database for encrypted passwords. Virtual Network Computing (VNC) is a remote login tool that normally uses passwords stored in users' home directories. VNC is covered in Chapter 26, "Providing Remote Login Access."

Some servers don't normally use passwords. For instance, web servers are often open to the public, and Simple Mail Transfer Protocol (SMTP) servers typically accept mail for local delivery without a password. Both of these server types can be configured to require passwords, but doing so defeats the purpose of using them in their most common configurations. You might want to require passwords for some limited-access systems. In some respects, servers that don't use passwords are actually less risky than are those that require passwords; servers that don't use passwords typically give very limited access to the system. Web servers, for instance, frequently only deliver documents stored in a few directories. Servers that use passwords, by contrast, frequently give the user much more complete access to the computer, often including the ability to run arbitrary programs. As a result, a compromised password can become an extremely powerful tool in the hands of a cracker. Of course, there are exceptions to this rule; a web server can be misconfigured to give too-broad access to a system without a password, for instance.

Also, some types of security problems result in the server running the cracker's arbitrary code, with or without a password. Nonetheless, maintaining good passwords is extremely important for servers that use them.

0 0

Post a comment