[TriLUG] don't understand salt

[Joseph Mack NA3T]

Following the recent linkedin passwd database debacle, I did 
what I thought was deleting my linkedin account (I've had it 
for 6mo and haven't found any use for it). A friend then 
reminded me that nothing on the web is ever deleted and I 
realised that I'd only closed the account, only making it 
inaccessible to me.

I understand that salting a passwd makes brute force 
cracking more difficult. However (AFAIK) to authenticate a 
user, the computer has to know the original salt. The salt 
would have to be kept securely. Where is it kept in the unix 
passwd/shadow system?

http://en.wikipedia.org/wiki/Salt_%28cryptography%29

says

"

In a typical usage for password authentication, the salt is 
stored along with the output of the one-way function, 
sometimes along with the number of iterations to be used in 
generating the output (for key stretching).

"

This would indicate that the salt is in shadow. So if the 
attacker gets shadow, they have the salt too.

What don't I understand?

Thanks Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!