The encoding mechanism used for Unix passwords was (and is) very secure, being a one-way algorithm i.e. easy to apply but impossible to reverse. However, the password file itself is vulnerable to a cracking technique known as the "dictionary attack", in which all the words from a large dictionary file are in turn encoded and compared with the encoded password (readable by any user, remember) in /etc/passwd. This dictionary file is usually based on an actual English language dictionary with the addition of commonly-used words, slang, and weak passwords (for example, "gandalf", "xyzzy", "qwerty", or even, God help us, "password"),. If the two match, then obviously our original, unnecoded word is the password.
This sounds simple, when you read about it but it takes a while to run the tens and hundreds of thousands of entries against a single password. This is, however, still not all that difficult to do with today's high-performance computing systems. Shadow passwords let us keep the advantages of the Unix password mechanism and thus backward compatibility with the huge base of Unix applications, while preventing this particular common form of attack.
The /etc/passwd file is almost the same standard comma-delimited file used since the Unix days, with a slight difference; the second field, which used to contain the password, now holds only an x. This indicates that the actual encrypted password is now stored elsewhere.
Note that the shadow password suite, like the older method, uses the
the seventh, so-called GECOS, field of /etc/passwd as an
extension mechanism for adding other fields of information.
The standard piece of information here is the user's full name.
In addition, on systems with user disk quotas enabled, the flags for
ulimit, umask, and niceness can be set here.
full name,office/room number,office phone,home phone
This layout is used by the finger command to display these additional details about the user as part of its output.
The /etc/shadow file stores the encoded password, and other information that enhances the standard Unix password scheme to include support for password aging. This establishes time limits as to how long a user can maintain one password for an account before it has to be changed to a different one, for the sake of increasing security. /etc/shadow is readable and writable by root, and readable by group shadow; no other users have any access.
The /etc/group file is another old standard designating groups of users within Unix and Linux systems. Each line starts with a group name, a field for passwords, a unique group identifier, and a list of user accounts that belong to the group. Like the /etc/passwd file, the password field simple contains an "x" while the real group password is held in /etc/shadow.
The /etc/login.defs file, is the master control file for the shadow password suite. You need to edit this file to configure the various options for the shadow password system.
In addition to these files, there are a handful of programs that are used with the shadow password system, as shown in Table 1.
Table 1
|-------------—|
|Program (man |
|page) |
|-------------—|
|login(1) |
|-------------—|
|passwd(1) |
|-------------—|
|su(1) |
|-------------—|
|sulogin(8) |
|-------------—|
|chage(1) |
|-------------—|
|pwconv(8) |
|-------------—|
|pwunconv(8) |
|-------------—|
|grpconv(8) |
|-------------—|
|grpunconv(8) |
|-------------—|
Delay in seconds before being allowed another attempt after a login failure
DIALUPS_CHECK_ENAB yes
Enable additional passwords upon dialup lines specified in /etc/dialups.
FAILLOG_ENAB yes
Enable logging and display of /var/log/faillog login failure info.
LOG_UNKFAIL_ENAB no
Enable display of unknown usernames when login failures are recorded.
LOG_OK_LOGINS no
Enable logging (to /var/log/wtmp) of successful logins.
LASTLOG_ENAB yes
Enable logging and display of /var/log/lastlog login time info.
MAIL_CHECK_ENAB yes
Enable checking and display of mailbox status upon login. Disable if the shell startup files already check for mail ("mailx -e" or equivalent).
OBSCURE_CHECKS_ENAB yes
Enable additional checks upon password changes.
PORTTIME_CHECKS_ENAB yes
Enable checking of time restrictions specified in /etc/porttime.
QUOTAS_ENAB yes
Enable setting of ulimit, umask, and niceness from passwd gecos field.
SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes Enable "syslog" logging of su activity - in addition to sulog file logging. SYSLOG_SG_ENAB does the same for newgrp and sg.
CONSOLE /etc/securetty #CONSOLE console:tty01:tty02:tty03:tty04
Either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
SULOG_FILE /var/log/sulog
All su activity is logged to this file.
MOTD_FILE /etc/motd
":" delimited list of "message of the day" files to be displayed upon login.
ISSUE_FILE /etc/issue
A file holding a short message that will be displayed before each login prompt.
TTYTYPE_FILE /etc/ttytype
A file which declares terminal types for particular tty lines. A typical file might look like:
linux tty1 linux tty2 linux tty3 linux tty4 wyse30 ttyS4 vt100 ttyp0 vt100 ttyp1 vt100 ttyp2 vt100 ttyp3
FTMP_FILE /var/log/btmp
Login *failures* will be logged here in a utmp format.
NOLOGINS_FILE /etc/nologin
This file, if present, will prevent non-root logins. The contents of the file will be displayed when login is denied, so it's obviously a good idea to write an explanation in here.
SU_NAME su
The command name to display when running "su -".
MAIL_DIR /var/spool/mail #MAIL_FILE .mail
The directory (MAIL_DIR) or file (MAIL_FILE) where mail is stored. This is used for the "you have new mail" message on login. If both are defined, MAIL_DIR takes precedence.
HUSHLOGIN_FILE /etc/hushlogins HUSHLOGIN_FILE .hushlogin
If this file exists, all the normal messages displayed during the login sequence are suppressed. A full pathname says that "hushed" mode should be used if the user's name or shell are in that file; a bare filename indicates that hushed mode will be used if a file of that name exists in the user's home directory.
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
The default PATH settings, for superuser and normal users respectively.
TTYGROUP tty TTYPERM 0620
Terminal permissions: respectively, the group which owns device tty, and the permissions on the device file.
If the "write" program on your system is "setgid" to a special group which owns the terminals, then define TTYGROUP should be set to the group number and TTYPERM to 0620. Otherwise, leave TTYGROUP commented out and set TTYPERM to either 622 or 600.
ERASECHAR 0177 KILLCHAR 025 UMASK 022 #ULIMIT 2097152
Login configuration initializations:
ERASECHAR is the default "ERASE" character.
Terminal ERASE character ('\010' = backspace).
KILLCHAR is the default "KILL" character.
Terminal KILL character ('\025' = CTRL/U).
UMASK is the default "mask" that will be applied to the permissions on all new files created during this login. e.g. a umask of 077 means that an ordinary file will have default permissions of 600.
ULIMIT Default "ulimit" value.
ULIMIT is the maximum size for a file under this login.
Note: Prefix these values with "0" to get octal, "0x" to get hexadecimal.
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
The default values for password aging controls. The use of each field is, respectively, the maximum number of days a password may be used, the minimum number of days allowed between password changes, the minimum acceptable password length, and the number of days warning given before a password expires.
SU_WHEEL_ONLY no
If "yes", the user must be listed as a member of the first gid 0 group in /etc/group (called "root" on most Linux systems) to be able to "su" to uid 0 accounts. If the group doesn't exist or is empty, no one will be able to "su" to uid 0.
#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
The path to the dictionaries if the suite has been compiled with cracklib support.
UID_MIN 1000 UID_MAX 60000
Min/max values for automatic uid selection in useradd.
GID_MIN 100 GID_MAX 60000
Min/max values for automatic gid selection in groupadd.
LOGIN_RETRIES 5
Max number of login retries if password is bad
LOGIN_TIMEOUT 60
Max time in seconds before a login session expires — in other words, the amount of time allowed between entry of username and entry of password.
PASS_CHANGE_TRIES 5
Maximum number of attempts to change password if it is at first rejected.
PASS_ALWAYS_WARN yes
Warn about weak passwords even if you are root. Note that this will not stop root giving themselves a bad password; it just lets them know that the password is weak.
PASS_MAX_LEN 8
Number of significant characters in the password for crypt().
CHFN_AUTH yes
Require password before chfn/chsh can make any changes.
CHFN_RESTRICT frwh
Which fields may be changed by regular users using chfn. The letters are codes for full name, room number, work phone, home phone respectively. If not defined, no changes are allowed.
LOGIN_STRING "%s's Password: "
Password prompt (%s will be replaced by user name).
MD5_CRYPT_ENAB yes
Only works if compiled with MD5_CRYPT defined: If set to "yes", new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings. Set to "no" if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default is "no".
#CONSOLE_GROUPS floppy:audio:cdrom
List of groups to add to the user's supplementary group set when logging in on the console (as determined by the CONSOLE setting). Default is none. Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
DEFAULT_HOME yes
Should login be allowed if we can't cd to the home directory? Default in no.
ENVIRON_FILE /etc/environment
If this file exists and is readable, login environment will be read from it. Every line should be in the form name=value.
USERDEL_CMD /usr/sbin/userdel_local
If defined, this command is run when removing a user. It should remove any at/cron/print jobs etc. owned by the user to be removed (passed as the first argument).
NO_PASSWORD_CONSOLE tty1:tty2:tty3:tty4:tty5:tty6
If defined, either full pathname of a file containing device names or a ":" delimited list of device names. No password is required to log in on these devices.
$ passwd -l joe
The passwd program does some checking for poor passwords when a user attempts to change their password. Poor passwords will be rejected. It doesn't use a dictionary, but a set of simple algorithms that can detect common flaws in passwords. It can't be a palindrome, more than half the characters must be different, there should be a mix of letters and numbers, and/or letters should be mixed-case, and it musn't be too short — for example, a password consisting only of lower-case letters must be 8 characters, if there is a mix of case, it can be 7 or 8 characters, etc.
The password aging information is maintained by root using the the -x, -n, -w, and -i options to the passwd command.
Copyright © 1995-2007
Paul Dunne,
Sponsored links (requires javascript):