[H-GEN] I can't login - HELP!
Ben Carlyle
benc at foxboro.com.au
Wed Dec 15 01:50:57 EST 1999
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
Murray Spork wrote:
> Don't know much about shadow passwords -- but apparently I was missing
> /etc/shadow
> So cp /etc/shadow.bak /etc/shadow solved it.
The basic run-down on shadowed passwords is this:
/etc/passwd contains the following fields:
username:something:uid:gid:long name:home:shell
Traditionally that something was the standard UNIX password
encription. The last two characters are the seed, and the
rest is obtained by manipulating the seed in strange and
perverted ways according to what you type in as your password.
/etc/passwd must be world readable, because the information
in it is used all over the place, so the traditional approach
leaves the password encryption open for anyone to see.
In the olden-days this was not a big problem. It used to take
quite some time to break a unix password file. Now it takes
hours or less to find some of the weaker ones by pure brute
force. The /etc/shadow file is a way to combat this situation.
/etc/shadow is not readable by anyone but root. This means
that it is accessable to the login process, and to suid
programs such as "su", however normal users cannot access it.
The useful information is kept in /etc/passwd for normal users,
but the encrypted passwords in /etc/shadow file are unknowable.
Shadowed password files essentially mean that an intruder must
crack root before she is able to read any passwords. Since
root is the most powerful account on the system, it usually
becomes a moot point whether the passwords are crackable when
that happens.
It can still make sense to break the /etc/shadow file, of
course. Breaking root on an insecure system may be easier
than breaking root on the system our cracker really wants
access to. By breaking root and stealing the shadow file,
she can break the contents at her leisure. If the
intrusion is not detected in time, she may gain access to
other machines that share a user who uses the same password
on each. This is one reason why keeping the same password
across machines makes you a security risk.
Another possible reason to crack the /etc/shadow file is if
your intruder has obtained the file through dubious measures,
and are not actually a user on the account. Weak anonymous ftp
implementations were renouned for this kind of problem in
the past...
ftp client: May I have your /etc/passwd file, please?
ftp server: Why certainly, glad to be of service.
(such servers usually run in chrooted environments these
days, so the real sensitive information is literally not
acessable).
The shadowed password approach does not usually present
a barrier to this entry, however, as many servers also
(often unnecessarily) run as root and can therefore read
the /etc/shadow file and pass it on. This is why networked
services are especially sensitive to outside attack.
But to summarise... shadowed password files are non-readable
except by root, and contain the "real" passwords. It's a
counter-measure to brute-force cracking attempts of users
who already have some access to the system, and want their
access to become a little more than it is.
Benjamin.
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list