Password shadowing is a way to hide the encrypted passwords from view, thus making dictionary attacks extremely difficult. The file/etc/passwdstill exists, but another file named/etc/shadow is created. This file contains the encrypted version of all pass- words on the system and is only readable byroot. Password shadowing is now consid- ered essential for password security, so most current Linux distributions implement shadowed passwords. Using shadowed passwords is critical; hiding the encrypted
passwords from view is the most important step you can take to make a dictionary attack extremely difficult.
This part of the chapter will describe password shadowing and demonstrate how to convert from unshadowed passwords to shadowed passwords.
Shadow Passwords Explained
If shadowing is used, the contents of/etc/passwdwould resemble root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/home/gdm:/bin/bash
postgres:x:40:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash jdoe:x:500:500:John Doe:/home/jdoe:/bin/bash
student:x:501:100::/home/student:/bin/bash
Note that the encrypted password field is now simply “x” (and that is not the en- crypted form). The contents of/etc/shadoware shown below:
root:a1eGVpwjgvHGg:11013:0:99999:7:-1:-1:134549444 bin:*:11012:0:99999:7:::
daemon:*:11012:0:99999:7:::
adm:*:11012:0:99999:7:::
lp:*:11012:0:99999:7:::
mail:*:11012:0:99999:7:::
news:*:11012:0:99999:7:::
uucp:*:11012:0:99999:7:::
operator:*:11012:0:99999:7:::
gopher:*:11012:0:99999:7:::
ftp:*:11012:0:99999:7:::
nobody:*:11012:0:99999:7:::
xfs:!!:11012:0:99999:7:::
gdm:!!:11012:0:99999:7:::
postgres:!!:11012:0:99999:7:::
jdoe:2bTlcMw8zeSdw:11195:0:99999:7:-1:-1:134549452 student:9d9WE322:11195:0:99999:7:-1:-1:134549452
The fields in/etc/shadowrepresent
▼ Username
■ Encrypted password
■ Number of days since January 1, 1970, that the password was last changed
■ Number of days left before the user is permitted to change her password
■ Number of days left until the user must change her password
■ Number of days in advance that the user will be warned that she must change her password
■ Number of days remaining for the user to change her password or the account will be disabled
▲ A reserved field
To show that the/etc/shadowfile is readable only byroot:
[jdoe@machine1 jdoe]$ ls -l /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 842 Sep 12 16:24 /etc/passwd -r--- 1 root root 759 Sep 12 16:24 /etc/shadow
As you can see,/etc/shadownot only hides the encrypted passwords from unau- thorized viewing, making a dictionary attack very difficult, but it also contains informa- tion used in the maintenance of passwords.
In today’s hostile networking environment, password shadowing is essential, and most Linux distributions support shadowing. If your current Linux machine does not have shadowing implemented, you should convert to shadowing now.
U Enabling Shadow Passwords
Enabling password shadowing is merely a matter of running a few system programs already installed on your Linux machine. The following steps describe how to convert a machine that does not implement shadow passwords to one that does.
Pwck—Check Integrity of /etc/passwd
First, runpwckto verify the integrity of/etc/passwd. Each entry in/etc/passwdis checked to see if it follows the proper format and has valid data in each field. Thepwck program verifies
▼ The correct number of fields
■ A unique username
■ A valid user and group identifier
■ A valid primary group
■ A valid home directory
▲ A valid login shell [root@machine1 /root]# pwck
user adm: directory /var/adm does not exist
user gopher: directory /usr/lib/gopher-data does not exist user gdm: directory /home/gdm does not exist
pwck: no changes
Pwconv—Convert to Password Shadowing
Next, runpwconvto convert to shadowing passwords. It creates the/etc/shadowfile from an existing/etc/passwdfile and an optionally existing shadow file (merging the two shadow files).
[root@machine1 /root]# pwconv
Congratulations. You now have password shadowing and have gone a long way in making your Linux passwords more secure.
You should verify that the conversion to password shadowing was successful by checking the contents of/etc/passwdto see if all encrypted passwords have been replaced with “x.” Additionally, even after conversion to password shadowing, it is possible to add a regular, unshadowed account to /etc/passwd. Therefore, periodically check the contents of/etc/passwdto ensure that all passwords are shadowed.
Pwunconv—Remove Shadowing
If it becomes necessary,pwunconvconverts from shadowing to no use of shadowing by creating an /etc/passwd file from an existing /etc/passwd file and an existing /etc/shadowfile. But it shouldn’t be necessary, should it?
Shadow Passwords Command Suite
Using shadowed passwords also provides a group of tools to maintain your passwords.
The Chage Command
The most important command in the shadow command suite ischage. This command changes information used by the system to determine when a user must change his pass- word. To force a user to change his password after a specific time period, use the–Moption.
chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive]
[-E expiredate] [-W warndays] user
▼ mindays Minimum number of days between password changes
■ maxdays Maximum number of days during which a password is valid
■ lastday Number of days since January 1, 1970, when the password was last changed
■ inactive Number of days of inactivity after a password has expired before the account is disabled
■ expiredate Date when the user’s account is disabled
▲ warndays Number of days of warning before a password change is required
Other Helpful Shadow Commands
There are many other commands in the shadow suite. Here is a summary of some of the most commonly used commands. For more information, look at themanpages.
▼ gpasswd Add new users to a group.
■ groupadd Create a new group.
■ groupdel Delete a group.
■ groupmod Modify group information.
■ passwd Replace/etc/passwd passwdprogram to work with /etc/shadow.
■ useradd Add a new user.
■ userdel Delete a user.
▲ usermod Modify a user’s information.