Shadow Passwords

It is considered a security risk to keep any password in /etc/passwd because anyone with read access can run a cracking program on the file and obtain the passwords with little trouble. To avoid this risk, shadow passwords are used so that only an x appears in the password field of /etc/passwd; the real passwords are kept in /etc/shadow, a file that can only be read by the sysadmin (and PAM, the Pluggable Authentication Modules authentication manager; see the "PAM Explained" sidebar for an explanation of PAM).

Special versions of the traditional password and login programs must be used to enable shadow passwords. Shadow passwords are automatically enabled during the installation phase of the operating system on Ubuntu systems.

Let's examine a listing of the shadow companion to /etc/passwd, the /etc/shadow file:



andrew:$1$6LT/qkWL$sPJPp.2QkpC8JPtpRk9 06/:13299:0:99999:7::: beagleindex:!:132 99:0:99999:7:::

The fields are separated by colons and are, in order: The user's login name. The encrypted password for the user.

The number of days since January 1, 1970 that the password was last changed. This date is known in UNIX circles as the epoch. Just so you know, the billionth second since the epoch occurred was in September 2001; that was the UNIX version of Y2Knot much happened because of it.

The number of days before the password can be changed (prevents changing a password and then changing it back to the old password right awaya dangerous security practice).

The number of days after which the password must be changed. This can be set to force the change of a newly issued password known to the system administrator.

The number of days before the password expiration that the user is warned it will expire.

The number of days after the password expires that the account is disabled (for security).

The number of days since January 1, 1970 that account has been disabled.

The final field is a "reserved" field and is not currently allocated for any use.

Note that password expiration dates and warnings are disabled by default in Ubuntu. These features are not used on home systems and usually not used for small offices. It is the sysadmin's responsibility to establish and enforce password expiration policies.

The permissions on the /etc/shadow file should be set so that it is not writable or readable by regular users: The permissions should be 600.

Was this article helpful?

0 0

Post a comment