[Users] create CT with password
Dmitry V. Levin
ldv at altlinux.org
Tue Nov 11 10:07:10 EST 2008
On Tue, Nov 11, 2008 at 12:29:04PM +0100, Dietmar Maurer wrote:
> > On Tue, Nov 11, 2008 at 10:58:46AM +0100, Dietmar Maurer wrote:
> > > Is there are real world example where my approach does not work?
> >
> > I think your approach won't work as is, at least in any tcb-enabled
> > system (see http://www.openwall.com/tcb/) for two obvious reasons:
> > - file where root shadow entry is stored is not /etc/shadow;
>
> I guess it is possible to detect the file and store the password?
In tcb-enabled system root shadow entry is usually stored in the
/etc/tcb/root/shadow file.
> > - password hashing algorithm in the host system and in containers may
> > differ (this issue is not specific to tcb).
>
> If I interpret the documentation correct the password includes the
> algorithm
> used to encode it - so auth will succeed no matter how you
> configure pam_unix (hashing algorithm configuration is only used to
> store password)
This way you'll have to either use the most weak hashing algorithm
supported by every container OS, or risk that your modern hashing
algorithm is not supported by some container OS.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://openvz.org/pipermail/users/attachments/20081111/374f808a/attachment.bin
More information about the Users
mailing list