Shadow (file) - Usage

Usage

On a system without shadowed passwords (typically older Unix systems dating from before 1990 or so), the passwd file holds the following user information for each user account:

  • Username
  • Salt combined with the current hash of the user's password (usually produced from a cryptographic hash function)
  • Password expiration information
  • User ID (UID)
  • Default group ID (GID)
  • Full name
  • Home directory path
  • Login shell

The passwd file is readable by all users so that name service switch can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), but only the root user can write to it. This means that an attacker with unprivileged access to the system can obtain the hashed form of every user's password. Those values can be used to mount a brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed login attempts. Users often select passwords vulnerable to such password cracking techniques.

With a shadowed password scheme in use, the /etc/passwd file typically shows a character such as '*', or 'x' in the password field for each user instead of the hashed password, and /etc/shadow usually contains the following user information:

  • User login name
  • salt and hashed password OR a status exception value e.g.:
    • "$id$salt$hashed", where "$id" is the algorithm used (On GNU/Linux, "$1$" stands for MD5, "$2$" is Blowfish, "$5$" is SHA-256 and "$6$" is SHA-512, crypt(3) manpage, other Unix may have different values, like NetBSD).
    • "NP" or "!" or null - No password, the account has no password.
    • "LK" or "*" - the account is Locked, user will be unable to log-in
    • "!!" - the password has expired
  • Days since epoch of last password change
  • Days until change allowed
  • Days before change required
  • Days warning for expiration
  • Days before account inactive
  • Days since Epoch when account expires
  • Reserved

The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical to the order of the corresponding users in the password file.

To modify the contents of the shadow file on most systems, users generally invoke the passwd program, which in turn largely depends on PAM. For example, the type of hash used is dictated by the configuration of the pam_unix.so module. By default, the MD5 hash has been used, while current modules are also capable of stronger hashes such as blowfish, SHA256 and SHA512.

Read more about this topic:  Shadow (file)

Famous quotes containing the word usage:

    Pythagoras, Locke, Socrates—but pages
    Might be filled up, as vainly as before,
    With the sad usage of all sorts of sages,
    Who in his life-time, each was deemed a bore!
    The loftiest minds outrun their tardy ages.
    George Gordon Noel Byron (1788–1824)

    Girls who put out are tramps. Girls who don’t are ladies. This is, however, a rather archaic usage of the word. Should one of you boys happen upon a girl who doesn’t put out, do not jump to the conclusion that you have found a lady. What you have probably found is a lesbian.
    Fran Lebowitz (b. 1951)

    ...Often the accurate answer to a usage question begins, “It depends.” And what it depends on most often is where you are, who you are, who your listeners or readers are, and what your purpose in speaking or writing is.
    Kenneth G. Wilson (b. 1923)