Shadow passwords

From Hackepedia
Jump to navigationJump to search

Shadow passwords are an extension to storing all account information in the /etc/passwd file. Originally, the encrypted passwords for all accounts were kept in the 2nd field of /etc/passwd. Since this file needs to be world-readable in order to obtain information about accounts (including the username, UID, primary GID, GECOS information, home directory, and user shell), it meant that the encrypted passwords were also viewable. This provided a very nice known-ciphertext attack vector.

An extenstion was developed that addressed this insecurity, and added password and account aging abilities as well. All modern *nix distributions support shadow passwords, in addition to original method.

Aside from re-writing the PAM code, the main userspace change is the addition of /etc/shadow, and several tools for manipulating this file. Unlike /etc/passwd, the /etc/shadow file must not be world-readable (suggested mode is 600). Of course, this means that all programs that read and write this file must be either setuid, or run by the root user; this includes common "user" programs such as "passwd".

This file stores the data for the following struct:

struct spwd {
    char *sp_namp;   /* user login name */
    char *sp_pwdp;   /* encrypted password */
    long  sp_lstchg; /* last password change */
    int   sp_min;    /* days until change allowed. */
    int   sp_max;    /* days before change required */
    int   sp_warn;   /* days warning for expiration */
    int   sp_inact;  /* days before account inactive */
    int   sp_expire; /* date when account expires */
    int   sp_flag;   /* reserved for future use */
}

The timing of the dates and times stored here can cause some confusion. The following timeline should help show when things occur:

Shadow password timeline

N.B.: The "account expire" date can occur anywhere, including before the password expiration, password last-change, and account inactive dates.