|sections in this module||City
College of San Francisco - CS260A
Unix/Linux System Administration
Module: Users and Authentication
Due to the ability of fast computers to "crack" encrypted passwords given sufficient time, passwords today are typically stored in a file that is not world-readable, called the shadow file. Besides stronger encryption and restricted access, the shadow package used on linux provides password and account aging and expiration parameters. These allow the specification of
These parameters default to "the password never has to be changed and the account never expires". The parameters for a particular password can be altered using the program chage(1). See shadow(5) for the syntax of the shadow file.
The encrypted password stored in the shadow file can be generated using two
algorithms: MD5 and SHA. In addition, SHA has two variations - 256
and the longer 512. Currently, passwords on linux use SHA-512
encrypted passwords. You can actually generate an encrypted
password at the command-line if you like using grub-crypt with one of
the options --md5, --sha256 or --sha512. If you simply
cut and paste the [correctly encrypted] password into /etc/shadow you would
change the password. Alternately, the encrypted password can be
used as an option to useradd
when creating an account. (Since encrypted passwords are 'salted',
two encrypted passwords generated from the same actual password
will be the same only if the salt is the same.)
The password encryption algorithm currently used on the system
may be found in
/etc/sysconfig/authconfig in the variable PASSWDALGORITHM. You must use the encryption algorithm
indicated there for the password generated by grub-crypt.
Otherwise the password will not work.
When an account is created without setting a password, the passwd file is marked to
indicate that the shadow
file is being used and the shadow
file indicates a !! in
password field to indicate the password has not been set. (Any
password in the shadow file that starts with ! is locked. An
option of passwd
will lock a password, disabling the account, as we will see.)
With the propagation of "logins" on the Internet today, many users are faced with an ever-increasing number of passwords to remember. Self-preservation forces the adoption of one or more bad habits to deal with this:
As the system administrator, you are responsible for the integrity of your system. This means you must not only adopt a reasonable procedure for that most important of all passwords, the root password, but you must encourage good habits in other users. Although the passwd program enforces some basic restrictions such as minimum length and different types of characters and can be configured to use cracklib to test passwords against permutations of dictionary words, this is only a beginning. (Whether your system uses cracklib to check passwords or not and the type of password encryption used are indicated by configuration parameters in /etc/sysconfig/authconfig).
There are several conflicting issues when choosing a password-generation scheme:
One scheme that has been relatively successful is the "memorable phrase" method. Here, a memorable phrase is constructed and a password created from some regular permutation of the characters, replacing some characters with numbers, adding punctuation, and perhaps switching case. For example, given the memorable phrase
passwords are not fun to change!
you could easily derive the password pRnf2c! Add a little extra complexity such as reversing letters, alternating case, or alternating which letter of the words is selected for inclusion in the final password and you have a reasonable scheme.
The counter to this scheme is that some password cracking
programs using a brute-force method will actually cycle through
all possible combinations of a certain number of letters.
Believers of this argument recommend that password be longer, say
a minimum of a dozen letters. This line of thinking advocates
longer passwords that are memorable phrases, perhaps with some
misspellings. Assuming the only access to your system is via ssh
and that hackers cannot access your encrypted passwords, it is
doubtful that a brute-force would succeed in a workable amount of
time. Most ssh variants only allow a few password attempts per
connection, and initiating the connection is time-consuming. Even
if no limits were imposed on the number of incorrect password
attempts tried and no sys admin noticed the large number of
attempts, how many attempts could be made in a day?
Whatever scheme you adopt, you, as the system administrator, must have a recommendation when asked, or when you discover a user password scribbled on the front of a notebook or taped to the front of a computer, as well as needing a reasonable scheme yourself. You're going to feel pretty silly if a user asks you how you remember passwords and you must admit the root password is some permutation of 'secret'.
One last issue to consider: Forcing users to change their password has become a standard procedure on Unix systems. Unfortunately, it has two major consequences:
One of the responsibilities of the Administrator is fixing passwords as well as locking and disabling accounts. We have all used the passwd program, but there are a few options that are noteworthy for aiding in these duties:
passwd will refuse to accept simple passwords for normal users, but not for the administrator. This is helpful when creating a temporary account for testing purposes. Just remember to delete the account when you are done.
passwd has three options available only for the administrator:
|Preview question: Answer the following questions about the group file on your system: How many groups are there? Can you tell the difference between groups that are 'system groups' and groups that are 'user groups'? Which of them are you a member of? Are you listed as a member of each of your groups in the group file?|
|Prev|| This page was made entirely
with free software on linux:
the Mozilla Project and Openoffice.org