What is purpose of /etc/shadow and shadow cache files in Linux operating system?
What is the purpose of the /etc/shadow file in Linux Operating system? Also, is it same for SUSE clients? There is one shadow cache file is maintained what is purpose of that?
4 Answers 4
From the beginning, Unix and Unix-style operating systems (including Linux) have always stored passwords as cryptographic hashes (1). These hashes were originally stored in /etc/passwd , but this file needed to be world-readable to make the information available for other purposes — even a simple ls -l needs to read /etc/passwd in order to convert each file owner’s numeric user id to their username for display. However, having the hashed passwords in a world-readable file allowed malicious users to easily obtain those hashes and attempt to generate usable passwords(2) for other users’ accounts.
To prevent this, the hashed passwords were eventually moved into a file readable only by root (and occasionally a privileged group of administrators), /etc/shadow . This hides the hashes from normal users of the system while keeping them available for user authentication purposes.
- Pedantic, I know, but the stored passwords are not encrypted. They are hashed using a cryptographically-secure (at least as of the time it was written) hashing algorithm. The primary distinctions relevant here are that hashes are fixed-length (the length of encrypted text varies based on the length of the text which was encrypted) and non-reversible (encrypted text can be decrypted; hashed text cannot).
- Because hashes are fixed-length, there are an infinite number of inputs which will match any given hashed representation. An attacker could, therefore, find a working password which is not necessarily the same as the owning user’s password — although this is very unlikely given the size of modern crypto hashes.
@phunehehe No, the input set (all possible passwords) is infinite, but the output (all possible hash values) is finite.
The number of inputs leading to any given collision is not infinite, because the length of strings which can be hashed by any given algorithm is finite. See for instance stackoverflow.com/questions/17388177/…
@MariusMatutiae Assume a really bad hash implementation which truncates at 3 characters. The correct password is «abc». The inputs «abcd», «abcde», «abcdef», etc. will also produce the same output hash and, therefore, also be accepted. There are an infinite number of strings which start with «abc» and will trivially collide. (Note that we’re basically just disagreeing here on whether «the input» means before or after truncation is applied.)
The /etc/shadow file was created for security reasons, and holds each user’s encrypted password.
Originally, the encrypted password was stored in /etc/passwd . /etc/passwd had to be world readable so that the system could map userids to user names, and so that users could find out information about each other, e.g. the other user’s home directory, or their phone number, which was traditionally stored in the «gecos» field and displayed by the «finger» utility.
But then people realized that this was a security problem. Anybody with enough time could do what’s called a bruteforce attack, by programatically generating encrypted passwords for every possible password. If the attacker did that without actually trying to log in via telnet or ssh , the system could not know that it was being attacked.
So the encrypted password was moved into the newly created /etc/shadow , which is readable only by root.
It also contains other information that the /etc/passwd file did not support related to the user’s account and password, e.g. when the password was last changed and when it will expire.
See man 5 shadow (web version) for full details of the file format.
I can’t say whether it is the same for SUSE, without knowing which version of SUSE you are dealing with. For example, your SUSE system may use Blowfish rather than MD5.
You also implied you were mixing your /etc/shadow file with a system running a different Linux distribution, but did not say what the other distribution was.
To try to figure it out, open up /etc/shadow and see whether the encrypted password field starts with $1$ or $2$ . If it contains $1$ , then it’s MD5, and compatible with most other distributions. If it contains $2$ , then it’s probably Blowfish according to Blowfish shadow files on Debian.
If you are using Ubuntu, the first Google search result for Ubuntu blowfish might be a good starting place.
Users are listed in the /etc/passwd file. This file contains many information used by the systemm not only to allow users to log in.
Each line corresponds to a user entry and different fields are separated by colons. The first filed is the login, it is followed by the corresponding password.
Encrypted passwords used to be stored in this field. However, the /etc/passwd file has to be readable by everyone on the system, so encryption does not prevent from brute force attacks, as it has been said by @Mikel. The solution was to move these encrypted passwords in root-only readable file: /etc/shadow .
Thus, /etc/shadow contains the encrypted passwords of the system’s users. The system knows it has to check for passwords in this file when password fields in /etc/passwd contain an x alone (meaning «cross over to /etc/shadow»)
Note that passwords stored in /etc/passwd were/are still hashed in exactly the same way they would be if they were in /etc/shadow . You don’t actually say that passwords in /etc/passwd would be plaintext, but it would be easy for someone unfamiliar with *nix password handling to misinterpret your answer as implying that.
I don’t think the x actually means anything. It’s there just as an invalid hash (one that doesn’t match any password). Some systems use ! .
Let’s see if I can get all the up-votes in the world, since I wrote what became the Linux Shadow Password Suite in ’87 😉
The original /etc/passwd file contained a modified DES-based hash of the cleartext password. At the time the crypt() function was created, it was believed (and this was stated by the creators of the UNIX operating system) that attacks against the password hash would be infeasible, due to the number of possible passwords and the use of a 12-bit (4,096 possible values) «salt». Each possible cleartext password had 4,096 possible hashed values, and with 64-bits of hashed result, that gave a total of 2^72 possible password hashes.
As another poster mentioned, /etc/passwd was also used by various utilities to map between user names and UID values (the /etc/group file provides the analogous function for groups) and that required it be world-readable.
In the 1980s it became obvious that dictionary attacks against the password hash stored in the /etc/passwd file were becoming feasible and /etc/shadow was introduced to AT&T UNIX in an early release of System V. I documented which manpages I used to write the original Shadow library, and I’ve since forgotten, but it was definitely an early System V release, probably SVR3.2.
What AT&T did, and what I implemented for SCO Xenix (the original SCO Xenix, not the later evil SCO Xenix) in ’87 that eventually came into use on Linux, was simply move the hashed password to /etc/shadow . This prevented the drive-by attack, where an unprivileged user acquired a copy of /etc/passwd and ran an attack against it. If you’re familiar with why I wrote Shadow in the first place, I had a user download my /etc/passwd file via UUCP back in the days when we still used UUCP for just about everything.
By the time Linux was created and came into wide-spread use, there were a very large number of tools for attacking password hashes. High-performance re-implementations of crypt() were one avenue, and dictionary-based attacks via tools such as Crack and libcrack were others. The initial port was done by Nate Holloway and Floria La Roche (I gave them credit, I don’t know if anyone did the work before them).
Eventually the use of crypt() -based hashes, even in a protected file, was no longer secure and the original MD5 -based hash changes were made. MD5 eventually was considered to be too weak, and newer hashes were used.
In theory, a strong enough hash could be stored in /etc/passwd . Poor operational security means that many systems have their /etc/shadow files available through various attack vectors — «I stole the backup files» is probably the easiest.
Shadow files in linux
НАЗВАНИЕ
shadow - файл теневых паролей
ОПИСАНИЕ
Файл shadow содержит шифрованные пароли учётных записей пользователей и необязательную информацию об устаревании пароля. Этот файл должен быть недоступен обычному пользователю, если нужно обеспечить безопасность паролей. Каждая строка файла содержит 9 полей, разделённых двоеточиями («:»), расположенных в следующем порядке: имя пользователя для входа в систему Должно содержать правильное имя учётной записи, которая существует в системе. шифрованный пароль Подробней о пароле смотрите в справочной странице crypt(3). Если поле пароля содержит строку, которая не удовлетворяет требованиям crypt(3), например содержит ! или *, то пользователь не сможет использовать этот пароль unix для входа (но может войти в систему под другими паролями). Это поле может быть пустым, то есть для указанной учётной записи не требуется аутентификация по паролю. Однако, некоторые приложения, читающие файл /etc/shadow, могут вообще отказать в доступе, если поле пароля пусто. Поле пароля может начинаться с восклицательного знака, означающего, что пароль заблокирован. Оставшиеся символы в строке представляют поле пароля до его блокировки. дата последней смены пароля Дата последней смены пароля в днях начиная с 1 января 1970 года. Значение 0 имеет специальное предназначение: оно указывает, что пользователь должен сменить пароль в следующий раз при входе в систему. Пустое значение обозначает, что проверка устаревания пароля выключена. минимальный срок действия пароля Минимальный срок действия пароля в днях, которые пользователь должен ждать, чтобы поменять пароль. Пустое значение поля и 0 отключают минимальный срок действия пароля. максимальный срок действия пароля Максимальный срок действия пароля в днях, после которого пользователь должен изменить пароль. По прошествии этого количества дней пароль может быть ещё действительным. Пользователя нужно попросить изменить пароль при следующем входе. Пустое значение поля означает, что нет максимального срока действия пароля, нет периода предупреждения о пароле и нет периода неактивности пароля (смотрите далее). Если максимальный срок действия пароля меньше чем минимальный срок действия пароля, то пользователь не сможет изменить свой пароль. период предупреждения о пароле Количество дней до устаревания пароля (смотрите максимальный срок действия пароля) во время которых пользователю выдаётся предупреждение. Пустое значение поля и 0 отключают период предупреждения о пароле. период неактивности пароля Количество дней после устаревания пароля (смотрите максимальный срок действия пароля) во время которых пароль всё ещё принимается (и пользователь должен обновить свой пароль при следующем входе). После устаревания пароля и истечения этого периода устаревания вход с текущим паролем становится невозможным. Пользователь должен обратиться к администратору. Пустое значение поля означает, что период неактивности отсутствует. дата истечения срока действия учётной записи Дата истечения срока действия учётной записи, указывается в днях начиная с 1 января 1970 года. Заметим, что устаревание учётной записи отличается от устаревания пароля. При устаревании учётной записи пользователь не сможет войти в систему. При устаревании пароля пользователь не может войти в систему по этому паролю. Пустое значение обозначает, что учётная запись никогда не устаревает. Значение 0 не должно использоваться, так как это может рассматриваться как неустаревающая учётная запись или что запись устарела 1 января 1970 года. зарезервированное поле Это поле зарезервировано для использования в будущем.
ФАЙЛЫ
/etc/passwd содержит информацию о пользователях /etc/shadow содержит защищаемую информацию о пользователях /etc/shadow- резервная копия файла /etc/shadow Заметим, что этот файл используется программами из комплекта утилит shadow, но не всеми инструментами управления пользователями и паролями.
СМОТРИТЕ ТАКЖЕ
chage(1), login(1), passwd(1), passwd(5), pwck(8), pwconv(8), pwunconv(8), su(1), sulogin(8).
© 2019 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.