Password shadowing is a technique in which /etc/passwdremains readable but no longer con- tains passwords. Instead, user passwords are stored in /etc/shadow.
Several tools perform shadowing, but the most popular is the Linux Password Shadow Suite (theshadowpackage), which has been available for several years. However, depending on your distribution and how old it is, you might or might not have it. To find out, examine
/etc/passwd. If it contains raw, encrypted passwords in the second field, the shadowpackage is not installed. In that case, visit your Linux vendor’s FTP or Web site now (or check your CD-ROM) and obtain and install the package.
Password Attacks CHAPTER5 157
5
P ASSW ORD A TT A CKSSome notes: As of this writing, most Linux distributions come with the shadowsuite standard (Debian 1.3+, Red Hat 3.0.3+, and SlackWare 3.2+). However, depending on the type of installation you performed, you might need to retrieve several shadowutilities from your dis- tribution CD-ROM. Typically, these are in a package named shadow-utils,shadow-m,
shadow-misc, or something similar. If you can’t immediately ascertain whether these pack-
ages are installed, you can use the command rpm -q -aorrpm -q <packagename>to check.
N
OTEBe sure that you aren’t running any legacy software before upgrading to the Shadow Password Suite. Some software expects the old-style system configuration and might be unable to deal with the shadow setup. Additional problems could occur if you’re converting a machine on a network using NIS/NFS to use shadowpasswords.
If you decide to make the switch to the shadow suite, be sure to document your existing setup and review the documentation for any software packages that you currently have installed.
C
AUTIONAfter you’ve installed the shadowpackage (and verified that all shadowutilities are present), examine /etc/shadow, the shadowpassword database. /etc/shadowis the focal point of the shadowsuite, so we’ll start there.
Linux User Security
PARTII
158
Other shadowing suites for Linux do exist, including Shadow in a Box by Michael Quan, a compilation of utilities for managing all your shadowpasswords. The package contains tools for FTP, POP,sudo, and xlock, as well as both a compact and extensive crack library. Shadow in a Box is available at http://metalab.unc.edu/pub/Linux/system/admin/
shadow-ina-box-1.2.tgz.
N
OTE/etc/shadow: The Password shadow
Database
/etc/shadowis a special file that stores not just user passwords but also special rule indicators
(covered later in the chapter). Here’s a typical /etc/shadowfile:
root:lLOTWOUA.YC2o:10713:0::7:7:: bin:*:10713:0::7:7:: daemon:*:10713:0::7:7:: adm:*:10713:0::7:7:: lp:*:10713:0::7:7:: sync:*:10713:0::7:7:: shutdown:*:10713:0::7:7:: halt:*:10713:0::7:7:: mail:*:10713:0::7:7:: news:*:10713:0::7:7:: uucp:*:10713:0::7:7:: operator:*:10713:0::7:7:: games:*:10713:0::7:7:: gopher:*:10713:0::7:7:: ftp:*:10713:0::7:7:: man:*:10713:0::7:7:: majordom:*:10713:0::7:7:: postgres:*:10713:0::7:7:: nobody:*:10713:0::7:7:: bigdave:aNi7cQR3XSTmc:10713:0::7:7:: jackie:7PbiWxVa5Ar9E:10713:0:-1:7:-1:-1:1073897392
In some respects,/etc/shadowresembles/etc/passwd. The file consists of one record per line, and each record is broken into nine colon-delimited fields:
• The username • The user password
• The number of days since January 1, 1970 that the password was last changed • The number of days left before the user is permittedto change his password • The number of days left before the user is forcedto change his password
• The number of days in advance that the user is warned that his password must soon be changed
• The number of days left in which a user must change his password before the account is disabled
• The number of days since January 1, 1970 that the account has been disabled • The last field is reserved
Using these values, the shadowsuite implements two new concepts above and beyond basic password database maintenance:
• Password aging—This is when you limit passwords to a finite lifespan, such as 90 days. When this lifespan expires, Linux forces users to create new passwords. When password aging is used in concert with proactive password checking (covered later in the chapter), it greatly enhances your security.
• Automatic account lockout—Merely warning users that they need to change their pass- words is unrealistic. Users are lazy and apt to ignore you. The better approach is to lock their accounts if they refuse to cooperate, but doing this manually is time-consuming. With the shadowsuite, you needn’t bother because lockout happens automatically. (You can specify lockout rules.)
Theshadowsuite consists of multiple utilities for user, group, and password management. These tools and their functions are summarized in Table 5.4.
TABLE5.4 shadowSuite Utilities and Their Functions
Utility Function
chage A native shadowsuite command. Use chageto change user password expiration information, such as the number of days between password changes and the date when the password was last changed.
chfn Ashadowsuite replacement for Linux’s standard chfnutility. chfnallows users to change their fingerinformation (for example, their real names).
chsh Ashadowsuite replacement for Linux’s standard chshcommand.chshis a utility that allows users to change their default shell.
gpasswd A native shadowsuite command. Use it to add new users to a group.
groupadd A native shadowsuite command. Use it to add a new group.
groupdel A native shadowsuite command. Use it to delete a group.
Password Attacks CHAPTER5 159
5
P ASSW ORD A TT A CKS 08 0672321343 CH05 5/25/01 3:32 PM Page 159groupmod A native shadowsuite command. Use it to modify group information.
grpck A native shadowsuite command. Use it to perform field verification and synching between/etc/groupand/etc/gshadow. Compare with pwchk, which verifies
/etc/passwdagainst/etc/shadow.
id Ashadowsuite replacement for Linux’s standard idcommand.idis a utility that displays your current UID (user ID) and related information.
login Ashadowsuite replacement for Linux’s standard login. When a user logs in,login
must interact with the password database. The shadowsuite database is structured differently, and therefore a replacement loginis needed.
newgrp Ashadowsuite replacement for Linux’s standard newgrpcommand. Users can change from one group to another (during the same session, after logging in again) using the newgrpcommand.
passwd Ashadowsuite replacement for Linux’s standard passwdcommand.passwdis for creating new user passwords or changing existing ones. The shadowsuite database is structured differently, and therefore a replacement passwdis needed.
pwck A native shadowsuite command. Use it to perform field verification and synching between/etc/shadowand/etc/passwd. Compare with grpchk, which verifies group information.
pwconv A native shadowsuite command. Use it to merge old /etc/passwdrecords into a new shadowdatabase.
pwunconv A native shadowsuite command. Use it to separate /etc/shadowinformation and convert it back to /etc/passwdformat.
su Ashadowsuite replacement for Linux’s standard su. The sucommand allows you to run a shell with UIDs and GIDs other than your own, providing you know the correct password. This is useful for granting ordinary users marginal (or full) administrative rights.
userdel A native shadowsuite command. Use it to delete users (userdel -r jsprat). This command will delete user jspratand his home directory.
usermod A native shadowsuite command. Use it to change a user’s information (his shell, his password’s expiration time, and so forth).
Let’s look at the more essential shadowsuite tools and the tasks they perform. Linux User Security
PARTII
160
TABLE5.4 Continued
Utility Function 08 0672321343 CH05 5/25/01 3:32 PM Page 160