Shadow Passwords

The shadow password file, /etc/shadow, can be read only by root. It grants no world or group file permissions. It is designed to prevent ordinary users from reading the encrypted passwords and subjecting them to a dictionary attack. In Appendix A, this feature is enabled by selecting Enable Shadow Passwords during the Red Hat installation—in the same window in which MD5 passwords are enabled. On a running Red Hat system, authconfig —enableshadow can be used to enable the use of the shadow password file.

In addition to improved password security, the shadow password file provides the system administrator with some password-management features. The shadow password file contains encrypted passwords and the information needed to manage them. The format of a shadow password file entry is the following:

username:password:changed:min:max:warn:inactive:close:reserved

In this entry,

• username is the login username.

• password is the encrypted password.

• changed is the date that the password was last changed, written as the number of days from January 1, 1970, to the date of the change.

• min is the minimum number of days the user must keep a new password before it can be changed.

• max is the maximum number of days the user is allowed to keep a password before it must be changed.

• warn is the number of days that the user is warned before the password expires.

• inactive is the number of days after the password expires before the account is locked. After the account is locked, the user is not able to log in and change his password.

• close is the date on which the account will be closed, written as the number of days from January 1, 1970, to the date that the account will be closed.

• reserved is a field reserved for the system's use.

An excerpt from the shadow password file on a Red Hat system is shown in Listing 12.6.

Listing 12.6: Excerpts from the Shadow Password File root:$1$1yBKhGuF$xocwED2RSGT03jEtq4yJ0/:11530:0:99999:7:::

xfs:!!:11530:0:99999:7:: gdm:!!:11530:0:99999:7::

craig:$1$W/j5NklD$J.wD9I/toKet.

11530

0:

99999

7:::

kathy:$1$iugiomsnsi/ufdjhbhjbih

11720

0:

99999

7:::

sara:$1$piuhihblhj./ddkibhtyjjt

11751

0:

99999

7:::

david:$1$kjiojhjhjkhplttw3vjhvu

11751

0:

99999

7:::

rebecca:$1$ihiohuhxvf5 6/uhhfhjH

11751

0:

99999

7:::

The encrypted password appears only in this file. Every password field in the /etc/passwd file contains an x, which tells the system to look in the shadow file for the real password. Every password field in the /etc/shadow file contains either an encrypted password, !!, or *. If the password field contains !!, it means that the account has a valid login shell, but the account is locked so that no one can log in through the account. If the password field contains *, it indicates that this is a system account, such as daemon or uucp, which does not have a login shell and therefore is not a login account.

Was this article helpful?

0 0

Post a comment