Why shadow your passwd file?
On a Linux system without the Shadow Suite installed, user information including passwords is stored in the /etc/passwd file. Many people would say that the password is stored in an encrypted format. If you ask a cryptography expert, however, he or she will tell you that the password is actually in an encoded rather than encrypted format because when using crypt(3), the text is set to null and the password is the key. Therefore, from here on, I will use the term encoded in this document.
The algorithm used to encode the password field is technically referred to as a one way hash function. This is an algorithm that is easy to compute in one direction, but very difficult to calculate in the reverse direction. More about the actual algorithm used can be found in section 2.4 or your crypt(3) manual page.
When a user picks or is assigned a password, it is encoded with a randomly generated value called the salt. This means that any particular password could be stored in 4096 different ways. The salt value is then stored with the encoded password.
When a user logs in and supplies a password, the salt is first retrieved from the stored encoded password. Then the supplied password is encoded with the salt value, and then compared with the encoded password. If there is a match, then the user is authenticated.
It is computationally difficult (but not impossible) to take a randomly encoded password and recover the original password. However, on any system with more than just a few users, at least some of the passwords will be common words (or simple variations of common words).
System crackers know all this, and will simply encrypt a dictionary of words and common passwords using all possible 4096 salt values. Then they will compare the encoded passwords in your /etc/passwd file with their database. Once they have found a match, they have the password for another account. This is referred to as a dictionary attack, and is one of the most common methods for gaining or expanding unauthorized access to a system.
If you think about it, an 8 character password encodes to 4096 * 13 character strings. So a dictionary of say 400,000 common words, names, passwords, and simple variations would easily fit on a 4GB hard drive. The attacker need only sort them, and then check for matches. Since a 4GB hard drive can be had for under $1000.00, this is well within the means of most system crackers.
Also, if a cracker obtains your /etc/passwd file first, they only need to encode the dictionary with the salt values actually contained in your /etc/passwd file. This method is usable by your average teenager with a couple of hundred spare Megabytes and a 486 class computer.
Even without lots of drive space, utilities like crack(1) can usually break at least a couple of passwords on a system with enough users (assuming the users of the system are allowed to pick their own passwords).
The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. If you were to change the /etc/passwd file so that nobody can read it, the first thing that you would notice is that the ls -l command now displays user ID's instead of names!
The Shadow Suite solves the problem by relocating the passwords to another file (usually /etc/shadow). The /etc/shadow file is set so that it cannot be read by just anyone. Only root will be able to read and write to the /etc/shadow file. Some programs (like xlock) don't need to be able to change passwords, they only need to be able to verify them. These programs can either be run suid root or you can set up a group shadow that is allowed read only access to the /etc/shadow file. Then the program can be run sgid shadow.
By moving the passwords to the /etc/shadow file, we are effectively keeping the attacker from having access to the encoded passwords with which to perform a dictionary attack.
Additionally, the Shadow Suite adds lots of other nice features:
- A configuration file to set login defaults (
/etc/login.defs)
- Utilities for adding, modifying, and deleting user accounts and groups
- Password aging and expiration
- Account expiration and locking
- Shadowed group passwords (optional)
- Double length passwords (16 character passwords) NOT RECOMMENDED
- Better control over user's password selection
- Dial-up passwords
- Secondary authentication programs
- Pluggable Authentication Modules (PAM) support
- Support for setting ulimits
Installing the Shadow Suite contributes toward a more secure system, but there are many other things that can also be done to improve the security of a Linux system. For more Linux security issues and tips, see the Linux Security HOWTO.
For current information on other Linux security issues, including warnings on known vulnerabilities see the Linux Security WWW. and the Linux Security home page.
Why you might NOT want to install the Shadow Suite.
There are a few circumstances and configurations in which installing the Shadow Suite would NOT be a good idea:
- Your distribution already contains shadow code. You should look in your
/etc/passwd file and determine if passwords are actually being stored there. If you don't see any, try changing your password and look again. Many distributions come with accounts with no password.
- If you are running RedHat, you should use the RPM that is approporiate for your RedHat version to install shadow support. RedHat's shadow support is not the same as that documented here, so refer to RedHat's documentation
- If the machine does not contain any user accounts, then you probably don't need shadow support, unless you are installing it just to gain the experience.
- If your machine is running on a LAN and is using NIS (Network Information Services) to get or supply user names and passwords to other machines on the network you would an NIS compatable shadow suite.. (This can actually be done, but is beyond the scope of this document, and should be done in conjunction with cryptographically secure software)
- If your machine is being used by terminal servers to verify users via NFS (Network File System), NIS, or some other method you probably can't shadow your system without breaking that software. If your terminal server supports RADIUS, that is probably your best solution.
- If your machine runs other software that validates users, and there is no shadow version available, and you don't have the source code you shouldn't install the Shadow Suite.
- If your machine is setup as a RADIUS server that authenticates users that are connecting to a terminal server. You actually can and should shadow a RADIUS server, but you will need a RADUIS server that has been patched to allow shadowed passwords. Both Livingston and Ascend have shadow support in their Radius servers. Some RADIUS servers have shadow support, but don't recognize the expired account and expired password fields.
Format of the /etc/passwd file
A non-shadowed /etc/passwd file has the following format:
username:passwd:UID:GID:full_name:directory:shell
Where:
username
The user (login) name
passwd
The encoded password
UID
Numerical user ID
GID
Numerical default group ID
full_name
The user's full name – Actually this field is called the GECOS (General Electric Comprehensive Operating System) field and can store information other than just the full name. The Shadow commands and manual pages refer to this field as the comment field.
directory
User's home directory (Full pathname)
shell
User's login shell (Full Pathname)
For example:
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
Where Np is the salt and ge08pfz4wuk is the encoded password. The encoded salt/password could just as easily have been kbeMVnZM0oL7I and the two are exactly the same password. There are 4096 possible encodings for the same password. (The example password in this case is 'password', a really bad password).
Once the shadow suite is installed, the /etc/passwd file would instead contain:
username:x:503:100:Full Name:/home/username:/bin/sh
The x in the second field in this case is now just a place holder. The format of the /etc/passwd file really didn't change, it just no longer contains the encoded password. This means that any program that reads the /etc/passwd file but does not actually need to verify passwords will still operate correctly.
The passwords are now relocated to the shadow file (usually /etc/shadow file).
Format of the shadow file
The /etc/shadow file contains the following information:
username:passwd:last:may:must:warn:expire:disable:reserved
Where:
username
The User Name
passwd
The Encoded password
last
Days since Jan 1, 1970 that password was last changed
may
Days before password may be changed
must
Days after which password must be changed
warn
Days before password is to expire that user is warned
expire
Days after password expires that account is disabled
disable
Days since Jan 1, 1970 that account is disabled
reserved
A reserved field
The previous example might then be:
username:Npge08pfz4wuk:9479:0:10000::::
Review of crypt(3).
From the crypt(3) manual page:
"crypt is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search.
The key is a user's typed password. The encoded string is all NULLs
The salt is a two-character string chosen from the set a-zA-Z0-9./. This string is used to perturb the algorithm in one of 4096 different ways.
By taking the lowest 7 bits of each character of the key, a 56-bit key is obtained. This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all zeros). The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose content is overwritten by each call.
Warning: The key space consists of 2**56 equal 7.2e16 possible values. Exhaustive searches of this key space are possible using massively parallel computers. Software, such as crack(1), is available which will search the portion of this key space that is generally used by humans for passwords. Hence, password selection should, at minimum, avoid common words and names. The use of a passwd(1) program that checks for crackable passwords during the selection process is recommended.
The DES algorithm itself has a few quirks which make the use of the crypt(3) interface a very poor choice for anything other than password authentication. If you are planning on using the crypt(3) interface for a cryptography project, don't do it: get a good book on encryption and one of the widely available DES libraries."
Most Shadow Suites contain code for doubling the length of the password to 16 characters. Experts in des recommend against this, as the encoding is simply applied first to the left half and then to the right half of the longer password. Because of the way crypt works, this may make for a less secure encoded password then if double length passwords were not used in the first place. Additionally, it is less likely that a user will be able to remember a 16 character password.
There is development work under way that would allow the authentication algorithm to be replaced with something more secure and with support for longer passwords (specifically the MD5 algorithm) and retain compatibility with the crypt method.
If you are looking for a good book on encryption, I recommend:
"Applied Cryptography: Protocols, Algorithms, and Source Code in C"
by Bruce Schneier <schneier@chinet.com>
ISBN: 0-471-59756-2
Putting the Shadow Suite to use.
This section discusses some of the things that you will want to know now that you have the Shadow Suite installed on your system. More information is contained in the manual pages for each command.
Adding, Modifying, and deleting users
The Shadow Suite added the following command line oriented commands for adding, modifying, and deleting users. You may also have installed the adduser program.
useradd
The useradd command can be used to add users to the system. You also invoke this command to change the default settings.
The first thing that you should do is to examine the default settings and make changes specific to your system:
useradd -D
GROUP=1
HOME=/home
INACTIVE=0
EXPIRE=0
SHELL=
SKEL=/etc/skel
The defaults are probably not what you want, so if you started adding users now you would have to specify all the information for each user. However, we can and should change the default values.
On my system:
- I want the default group to be 100
- I want passwords to expire every 60 days
- I don't want to lock an account because the password is expired
- I want to default shell to be
/bin/bash
To make these changes I would use:
useradd -D -g100 -e60 -f0 -s/bin/bash
Now running useradd -D will give:
GROUP=100
HOME=/home
INACTIVE=0
EXPIRE=60
SHELL=/bin/bash
SKEL=/etc/skel
Just in case you wanted to know, these defaults are stored in the file /etc/default/useradd.
Now you can use useradd to add users to the system. For example, to add the user fred, using the defaults, you would use the following:
useradd -m -c "Fred Flintstone" fred
This will create the following entry in the /etc/passwd file:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash
And the following entry in the /etc/shadow file:
fred:!:0:0:60:0:0:0:0
fred's home directory will be created and the contents of /etc/skel will be copied there because of the -m switch.
Also, since we did not specify a UID, the next available one was used.
fred's account is created, but fred still won't be able to login until we unlock the account. We do this by changing the password.
passwd fred
Changing password for fred
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
Now the /etc/shadow will contain:
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
And fred will now be able to login and use the system. The nice thing about useradd and the other programs that come with the Shadow Suite is that they make changes to the /etc/passwd and /etc/shadow files atomically. So if you are adding a user, and another user is changing their password at the same time, both operations will be performed correctly.
You should use the supplied commands rather than directly editing /etc/passwd and /etc/shadow. If you were editing the /etc/shadow file, and a user were to change his password while you are editing, and then you were to save the file you were editing, the user's password change would be lost.
Here is a small interactive script that adds users using useradd and passwd:
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
# Suite's useradd and passwd commands.
#
# Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux
# Shadow Password Howto. Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program. It could also be modified to disallow
# stupid entries. (i.e. better error checking).
#
##
# Defaults for the useradd command
##
GROUP=100 # Default Group
HOME=/home # Home directory location (/home/username)
SKEL=/etc/skel # Skeleton Directory
INACTIVE=0 # Days after password expires to disable account (0=never)
EXPIRE=60 # Days that a passwords lasts
SHELL=/bin/bash # Default Shell (full path)
##
# Defaults for the passwd command
##
PASSMIN=0 # Days between password changes
PASSWARN=14 # Days before password expires that a warning is given
##
# Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
echo "You must be root to add news users!"
exit 1
fi
##
# Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \
-f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
# Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
# Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
# Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n " "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n " "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n " "
passwd -S $USERNAME
echo ""
Using a script to add new users is really much more preferable than editing the /etc/passwd or /etc/shadow files directly or using a program like the Slackware adduser program. Feel free to use and modify this script for your particular system.
For more information on the useradd see the online manual page.
usermod
The usermod program is used to modify the information on a user. The switches are similar to the useradd program.
Let's say that you want to change fred's shell, you would do the following:
usermod -s /bin/tcsh fred
Now fred's /etc/passwd file entry would be change to this:
fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh
Let's make fred's account expire on 09/15/97:
usermod -e 09/15/97 fred
Now fred's entry in /etc/shadow becomes:
fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0
For more information on the usermod command see the online manual page.
userdel
userdel does just what you would expect, it deletes the user's account. You simply use:
userdel -r username
The -r causes all files in the user's home directory to be removed along with the home directory itself. Files located in other file system will have to be searched for and deleted manually.
If you want to simply lock the account rather than delete it, use the passwd command instead.
The passwd command and passwd aging.
The passwd command has the obvious use of changing passwords. Additionally, it is used by the root user to:
- Lock and unlock accounts (
-l and -u)
- Set the maximum number of days that a password remains valid (
-x)
- Set the minimum days between password changes (
-n)
- Sets the number of days of warning that a password is about to expire (
-w)
- Sets the number of days after the password expires before the account is locked (
-i)
- Allow viewing of account information in a clearer format (
-S)
For example, let look again at fred
passwd -S fred
fred P 03/04/96 0 60 0 0
This means that fred's password is valid, it was last changed on 03/04/96, it can be changed at any time, it expires after 60 days, fred will not be warned, and and the account won't be disabled when the password expires.
This simply means that if fred logs in after the password expires, he will be prompted for a new password at login.
If we decide that we want to warn fred 14 days before his password expires and make his account inactive 14 days after he lets it expire, we would need to do the following:
passwd -w14 -i14 fred
Now fred is changed to:
fred P 03/04/96 0 60 14 14
For more information on the passwd command see the online manual page.
The login.defs file.
The file /etc/login is the configuration file for the login program and also for the Shadow Suite as a whole.
/etc/login contains settings from what the prompts will look like to what the default expiration will be when a user changes his password.
The /etc/login.defs file is quite well documented just by the comments that are contained within it. However, there are a few things to note:
- It contains flags that can be turned on or off that determine the amount of logging that takes place.
- It contains pointers to other configuration files.
- It contains defaults assignments for things like password aging.
From the above list you can see that this is a rather important file, and you should make sure that it is present, and that the settings are what you desire for your system.
Group passwords.
The /etc/groups file may contain passwords that permit a user to become a member of a particular group. This function is enabled if you define the constant SHADOWGRP in the /usr/src/shadow-YYMMDD/config.h file.
If you define this constant and then compile, you must create an /etc/gshadow file to hold the group passwords and the group administrator information.
When you created the /etc/shadow, you used a program called pwconv, there no equivalent program to create the /etc/gshadow file, but it really doesn't matter, it takes care of itself.
To create the initial /etc/gshadow file do the following:
touch /etc/gshadow
chown root.root /etc/gshadow
chmod 700 /etc/gshadow
Once you create new groups, they will be added to the /etc/group and the /etc/gshadow files. If you modify a group by adding or removing users or changing the group password, the /etc/gshadow file will be changed.
The programs groups, groupadd, groupmod, and groupdel are provided as part of the Shadow Suite to modify groups.
The format of the /etc/group file is as follows:
groupname:!:GID:member,member,...
Where:
groupname
The name of the group
!
The field that normally holds the password, but that is now relocated to the /etc/gshadow file.
GID
The numerical group ID number
member
List of group members
The format of the /etc/gshadow file is as follows:
groupname:password:admin,admin,...:member,member,...
Where:
groupname
The name of the group
password
The encoded group password.
admin
List of group administrators
member
List of group members
The command gpasswd is used only for adding or removing administrators and members to or from a group. root or someone in the list of administrators may add or remove group members.
The groups password can be changed using the passwd command by root or anyone listed as an administrator for the group.
Despite the fact that there is not currently a manual page for gpasswd, typing gpasswd without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts.
Consistency checking programs
pwck
The program pwck is provided to provide a consistency check on the /etc/passwd and /etc/shadow files. It will check each username and verify that it has the following:
- the correct number of fields
- unique user name
- valid user and group identifier
- valid primary group
- valid home directory
- valid login shell
It will also warn of any account that has no password.
It's a good idea to run pwck after installing the Shadow Suite. It's also a good idea to run it periodically, perhaps weekly or monthly. If you use the -r option, you can use cron to run it on a regular basis and have the report mailed to you.
grpck
grpck is the consistency checking program for the /etc/group and /etc/gshadow files. It performs the following checks:
- the correct number of fields
- unique group name
- valid list of members and administrators
It also has the -r option for automated reports.
Dial-up passwords.
Dial-up passwords are another optional line of defense for systems that allow dial-in access. If you have a system that allows many people to connect locally or via a network, but you want to limit who can dial in and connect, then dial-up passwords are for you. To enable dial-up passwords, you must edit the file /etc/login.defs and ensure that DIALUPS_CHECK_ENAB is set to yes.
Two files contain the dial-up information, /etc/dialups which contains the ttys (one per line, with the leading "/dev/" removed). If a tty is listed then dial-up checks are performed.
The second file is the /etc/d_passwd file. This file contains the fully qualified path name of a shell, followed by an optional password.
If a user logs into a line that is listed in /etc/dialups, and his shell is listed in the file /etc/d_passwd he will be allowed access only by suppling the correct password.
Another useful purpose for using dial-up passwords might be to setup a line that only allows a certain type of connect (perhaps a PPP or UUCP connection). If a user tries to get another type of connection (i.e. a list of shells), he must know a password to use the line.
Before you can use the dial-up feature, you must create the files.
The command dpasswd is provided to assign passwords to the shells in the /etc/d_passwd file. See the manual page for more information.
