Книга: Fedora™ Unleashed, 2008 edition
Shadow Passwords
Shadow Passwords
It is considered a security risk to keep any password in /etc/passwd
because anyone with read access can run a cracking program on the file and obtain the passwords with little trouble. To avoid this risk, shadow passwords are used so that only an x appears in the password field of /etc/passwd
; the real passwords are kept in /etc/shadow
, a file that can be read by only the sysadmin (and PAM, the Pluggable Authentication Modules authentication manager; see the "PAM Explained" sidebar for an explanation of PAM).
Special versions of the traditional password
and login
programs must be used to enable shadow passwords. Shadow passwords are automatically enabled during the installation phase of the operating system on Fedora systems.
Let's examine a listing of the shadow companion to /etc/passwd
, the /etc/shadow
file:
# cat /etc/shadow
root:*:13121:0:99999:7:::
daemon:*:13121:0:99999:7:::
bin:*:13121:0:99999:7:::
sys:*:13121:0:99999:7:::
sync:*:13121:0:99999:7:::
games:*:13121:0:99999:7:::
man:*:13121:0:99999:7:::
...
andrew:$1$z/9LTBHL$omt7QdYk.KJL7rwBiM0511:13121:0:99999:7:::
The fields are separated by colons and are, in order, the following:
? The user's login name.
? The encrypted password for the user.
? When the password was last changed, measured in the number of days since January 1, 1970. This date is known in UNIX circles as the epoch. Just so you know, the billionth second since the epoch occurred was in September 2001; that was the UNIX version of Y2K — not much happened because of it.
? The number of days before the password can be changed (prevents changing a password and then changing it back to the old password right away — a dangerous security practice).
? The number of days after which the password must be changed. This can be set to force the change of a newly issued password known to the system administrator.
? The number of days before password expiration that the user is warned it will expire.
? The number of days after the password expires that the account is disabled (for security).
? The number of days since January 1, 1970 that the account has been disabled.
? The final field is a "reserved" field and is not currently allocated for any use.
Note that password expiration dates and warnings are disabled by default in Fedora. These features are not used on home systems and usually not used for small offices. It is the sysadmin's responsibility to establish and enforce password expiration policies.
The permissions on the /etc/shadow
file should be set so that it is not writable or read able by regular users: The permissions should be 600
.
PAM Explained
Pluggable Authentication Modules (PAM) is a system of libraries that handle the tasks of authentication on your computer. It uses four management groups: account management, authentication management, password management, and session management. This allows the system administrator to choose how individual applications will authenticate users. Fedora has preinstalled and preconfigured all the necessary PAM files for you.
The configuration files in Fedora are found in /etc/pam.d
. These files are named for the service they control, and the format is as follows:
type control module-path module-arguments
The type
field is the management group to which the rule corresponds. The control
field tells PAM what to do if authentication fails. The final two items deal with the PAM module used and any arguments it needs. Programs that use PAM typically come pack aged with appropriate entries for the /etc/pam.d
directory. To achieve greater security, the system administrator can modify the default entries. Misconfiguration can have unpredictable results, so back up the configuration files before you modify them. The defaults provided by Fedora are adequate for home and small office users.
An example of a PAM configuration file with the formatted entries as described previously is shown next. Here are the contents of /etc/pam.d/system-config-users
:
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
Amusingly, even the PAM documents state that you do not really need (or want) to know a lot about PAM to use it effectively.
You will likely need only the PAM system administrator's guide. Look under the /usr/share/doc/pam*
directory for additional documents in PostScript, text, and HTML formats.