| Shadow Password |
Article Index for Shadow |
Website Links For Shadow |
Information AboutShadow Password |
| CATEGORIES ABOUT SHADOW PASSWORD | |
| unix | |
| authentication methods | |
|
On a system without shadowed passwords, /etc/passwd holds the following user information:
The file is world-readable (meaning that all users can read it), but only writeable by Root . This means that an attacker can obtain the hashed form of the user's password. The hashed password is useful to an attacker because it allows a relatively fast way to test guessed passwords. Once the hashed password is obtained, an attacker can mount a Brute Force Attack offline, without alerting system security modules designed to detect some number of failed Login attempts. Most users select passwords that are vulnerable to such Password Cracking techniques. Shadowing passwords stores users' hashed passwords in a different file, usually /etc/shadow on Linux systems, or /etc/master.passwd on BSD systems, which can be read only by root. Virtually all modern Linux Distribution s use shadowed passwords. This makes stealing passwords more difficult, as root access is required to find the hashed password. This was considered sufficient protection because a user with root permissions can find this or any data by other means, as he or she can examine the entire system, and could even subvert the Passwd program to capture plaintext passwords. Unfortunately, some network authentication schemes operate by transmitting the encrypted password over the network, often making the data vulnerable to interception. Additionally, alternate copies of system data, such as system backups written to tape or optical media, become an alternate means for illicitly obtaining hashed passwords.
On a system with shadowed passwords, /etc/shadow holds the following user information:
While the hashed password is the most important information in the shadow file, the file usually contains other fields as well, such as the last time the password was changed, when the password will expire, whether the account is disabled, etc. The format of the shadow file is simple and is basically identical to that of the password file: one line per user, ordered fields on each line, and fields separated by colons. Many systems specify that the order of user lines in the shadow file should be identical to the order of the corresponding users in the password file. The contents of the file is mostly determined by the passwd program, which in turn is largely dependent on PAM . For example the type of hash used is dictated by the configuration of the pam_unix.so module. By default this the MD5 hash is used, while the newer pam_unix2.so is also capable of stronger hashes, like Blowfish . HISTORY Password shadowing was introduced in UNIX systems with the release of System V Release 3.2 and BSD4.3 Reno. Vendors which had performed ports from earlier UNIX releases did not include the new password shadowing features, leaving users of those systems exposed to password file attacks. In 1987 the author of the original Linux ''Shadow Password Suite'', Julie Haugh, experienced a computer breakin and wrote the initial release of the ''Shadow Suite'' containing just the login, '''passwd''' and '''su''' commands. The original release was written for the SCO Xenix operating system, but was quickly ported to other platforms. The ''Shadow Suite'' was ported to Linux in 1992 and became a part of many early distributions. SEE ALSO |
|
|