Special Edition Using Linux, Fourth Edition:Improving System Security

-->

Shadow Passwords: What Good Are They?

On a Linux system without the Shadow Suite installed, user information (including passwords) is stored in the /etc/passwd file. The password is stored in an encoded format: Although the password looks like gibberish to a human, it is simply encoded with the UNIX crypt command, with the text set to [null] and the password used as the key.

It is difficult but possible to take a given encoded password and re-create the original password. However, because people may get lazy sometimes, on any system with more than a few users, some of the passwords are likely to be common words or simple variations. It’s quite possible, and within the means of many, to encrypt a dictionary list and compare it to the password list in /etc/passwd. Other attacks are possible and used often, but this brute force approach is simple and easy to do. In addition to passwords, the /etc/passwd file also contains information such as user IDs and group IDs that are read by many system programs, so the /etc/passwd file must remain world readable.

Shadow passwording moves the passwords to another file, usually /etc/shadow, which is set to be readable only by root. Moving the passwords to the /etc/shadow file prevents an attacker from having access to the encoded passwords with which to perform a dictionary attack.

The Shadow Suite is included with most of the standard distributions of Linux.

However, in some cases such as the following, installing the Shadow Suite would NOT be a good idea:

• The system does not contain user accounts.

• The system is running on a LAN and uses NIS (Network Information Services) to get or supply usernames and passwords to other machines on the network.

• The system is used by terminal servers to verify users via NFS (Network File System), NIS, or some other method.

• The system runs other software that validates users, AND there is no shadow version available, AND you don’t have the source code.

The /etc/password and /etc/shadow Files

A non-shadowed /etc/passwd file has the following format:


username:passwd:UID:GID:full_name:directory:shell

For example:


username:Npje044eh3mx8e:507:200:Full Name:/home/username:/bin/csh

A shadowed /etc/passwd file would instead contain:


username:x:507:100:Full Name:/home/username:/bin/csh

The x in the second field in this case is now a placeholder for the real passwords stored in the shadow file /etc/shadow. The /etc/shadow file has the following format:


username:passwd:last:may:must:warn:expire:disable:reserved

Table 12.1 outlines the fields in the /etc/shadow file.

**Table 12.1** Fields in an /etc/shadow File Entry
Field	Description

`username`	The name used to log in.
`password`	The encoded password.
`last`	Days since Jan 1, 1970 that password was last changed.
`may`	Days before password may be changed.
`must`	Days after which password must be changed.
`warn`	Days before password is to expire that user is warned.
`expire`	Days after password expires that account is disabled.
`disable`	Days since Jan 1, 1970 that account is disabled.
`reserved`	A reserved field.

Adding, Changing, and Deleting Users with Shadowed Passwords

The Shadow Suite adds the following command line oriented commands for adding, modifying, and deleting users: useradd, usermod, and userdel.

useradd: The useradd command is used to add users to the system. You also invoke this command to change the default settings.

The first thing that you should do is examine the default settings and make changes specific to your system with the following command:


useradd -D

usermod: The usermod utility is used to modify the information on a user and is very similar to the useradd program.
userdel: userdel enables you to delete the user’s account with this command:


userdel -r username

The -r deletes all files in the user’s home directory to be removed, along with the home directory itself. A less drastic way to eliminate a user from the system is to use the passwd command to lock the user’s account.

passwd

In addition to setting and changing passwords, the root user can use the passwd command to perform the following tasks:

• Lock and unlock accounts (with the -l and -u options)

• Set the maximum number of days that a password remains valid (-x)

• Set the minimum days between password changes (-n)

• Set the number of days of warning that a password is about to expire (-w)

• Set the number of days after the password expires before the account is locked (-i)

pwck

The program pwck enables you to check on the consistency of the /etc/passwd and /etc/shadow files. It checks each username and verifies that each entry has the following:

• correct number of fields

• unique user name

• valid user and group identifier

• valid primary group

• valid home directory

• valid login shell

Finally, pwck also warns of any account that has no password.

NOTE: It’s a good idea to run pwck after installing the Shadow Suite. It’s also a good idea to run it periodically—perhaps weekly or monthly. If you use the -r option, you can use cron to run it on a regular basis and have the report mailed to you.

grpck: grpck is the consistency checking program for the /etc/group and /etc/gshadow files. It checks for the correct number of fields, unique group names, and a valid list of members and administrators.

Again, the -r option generates an automated report, so you can use cron to trigger this check automatically.

Table of Contents