> I repeat. This statement is BS. A shadow password file contains a > PLAIN TEXT PASSWORD that you can compare against.
No it doesn't and it never has. A UNIX shadow password file contains either an encrypted version of a know string using the password as the encryption key, or a MD5 (or similar) hash of the original password. Both methods fudge things a bit so there is more that one string/hash for any given password. The orignal password is never stored and both methods are one way, you can't recreate the password from the string or hash. When a user tries to login the plain text password they supply is used to encrypt the known string or generate a MD5 hash. The string/hash is then compared against the stored version and if it matches the password was good. Shadow password files exist to protect the strings/hashes. In the good old days they were stored the password file. But as computers got faster it became possible brute force crack passwords. Basically you generate all the possible strings/hashes for, say, "sex" and search for them in the password file. So the shadow password file was created to limit access to the strings/hashes. Bottom line: UNIX never stores the plain text password. ->Spike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
