Migrating from shadow passwords to tcb in Linux

Shadow passwords have been a de facto standard with Linux distributions for years, and as well as the use of md5 passwords. However, there are drawbacks to using the traditional shadow password method, and even md5 is not as secure as it used to be. One drawback to the shadow password file is that any application that requires looking up a single shadow password (i.e., your password) can also look at everyone else's shadow passwords, which means that any compromised tool that can read the shadow file will be able to obtain everyone's shadow password.

There is an alternative to shadow, called tcb, available from the tcb home page written by the Openwall Project. Migrating to tcb is fairly straightforward, although it can take a bit of work. Because only Openwall GNU/*/Linux, ALT Linux, and Annvix support tcb out-of-the-box, to get tcb support in your chosen distribution, you will have to recompile and patch a few programs.

From the tcb site, you can download the tcb program and compile it, along with the included pam_tcb and nss_tcb libraries. You will have to patch glibc with crypt_blowfish support (some distributions like SUSE already have support for blowfish passwords and may not need to be patched). You will also want to patch the shadow-utils suite; depending on the version of shadow-utils your distribution uses you can get the required patch from the Openwall CVS for shadow-utils 4.0.4.1 or from the Annvix SVN repositories for 4.0.12. Shadow-utils needs to be patched to provide tcb support for tools like adduser, chage, etc. A link to the latest crypt_blowfish to patch glibc with is on the tcb page.

Once these prerequisites are met and tcb is compiled and installed, simply replace all calls to pam_unix.so and/or pam_pwdb.so in the /etc/pam.d/*files to use pam_tcb.so as in Listing A.

Listing A

If you wish to continue using md5 passwords instead of blowfish passwords, remove the prefix=$2a$ count=8 section from the password line. You will also need to modify /etc/nsswitch.conf and replace the shadow line to read:

shadow:Ã, Ã, Ã, Ã,  tcb nisplus nis

The passwd program needs to be sgid shadow rather than suid root and /etc/login.defs needs to contain USE_TCB yes. Once this is done, you can execute the /sbin/tcb_convert program to convert the shadow file into the appropriate single-user files, which live in /etc/tcb/. Once this is done, remove the /etc/shadow and /etc/shadow- files, and your system will be tcb-enabled.

Getting tcb support may involve a little work, and it's a shame that more distributions aren't providing tcb as an alternative to shadow out-of-the-box or at least via add-ons. Using tcb, along with blowfish passwords, gives you a much more secure password system for your Linux distribution.