124

Chapter 6. Managing User Accounts and Resource Access

This line shows that the

root

user has a shadow password, as well as a UID and GID of 0. The

root

user has

/root/

as a home directory, and uses

/bin/bash

for a shell.

For more information about

/etc/passwd

, see the

passwd(5)

man page.

6.3.2.2.

/etc/shadow

Because the

/etc/passwd

file must be world readable (the main reason being that this file is used

to perform the translation from UID to username), there is a risk involved in storing everyone's pass 

word in

/etc/passwd

. True, the passwords are encrypted. However, it is possible to perform attacks

against passwords if the encrypted password is available.

If a copy of

/etc/passwd

can be obtained by an attacker, an attack that can be carried out in secret

becomes possible. Instead of risking detection by having to attempt an actual login with every potential

password generated by password cracker, an attacker can use a password cracker in the following

manner:

A password cracker generates potential passwords

Each potential password is then encrypted using the same algorithm as the system

The encrypted potential password is then compared against the encrypted passwords in

/etc/passwd

The most dangerous aspect of this attack is that it can take place on a system far removed from

your organization. Because of this, the attacker can use the highest performance hardware available,

making it possible to go through massive numbers of passwords very quickly.

Therefore, the

/etc/shadow

file is readable only by the root user and contains password (and op 

tional password aging information) for each user. As in the

/etc/passwd

file, each user's information

is on a separate line. Each of these lines is a colon delimited list including the following information:

Username   The name the user types when logging into the system. This allows the login appli 

cation to retrieve the user's password (and related information).

Encrypted password   The 13 to 24 character password. The password is encrypted using either

the

crypt(3)

library function or the md5 hash algorithm. In this field, values other than a validly 

formatted encrypted or hashed password are used to control user logins and to show the password

status. For example, if the value is

!

or

*

, the account is locked and the user is not allowed to log

in. If the value is

!!

a password has never been set before (and the user, not having set a password,

will not be able to log in).

Date password last changed   The number of days since January 1, 1970 (also called the epoch)

that the password was last changed. This information is used in conjunction with the password

aging fields that follow.

Number of days before password can be changed   The minimum number of days that must pass

before the password can be changed.

Number of days before a password change is required   The number of days that must pass before

the password must be changed.

Number of days warning before password change   The number of days before password expira 

tion during which the user is warned of the impending expiration.

Number of days before the account is disabled   The number of days after a password expires

before the account will be disabled.

Date since the account has been disabled   The date (stored as the number of days since the

epoch) since the user account has been disabled.

A reserved field   A field that is ignored in Red Hat Linux.