Shadow file password policy

pinga123 · #1 10-01-2010

Today i was going through some of security guides written on linux .

Under shadow file security following points were mentioned.

1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.
2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.
3)password for application Username should display * if username is not locked.
4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?

Confusion for point 3 and 4:
There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.
How would i check whether they are actually locked or not.

I m posting the output of /etc/shadow and /etc/passwd files for the account.

/etc/passwd

Quote:

admin:x:500:500::/home/admin:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

/etc/shadow

Quote:

admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::
ntp:!!:14866:0:99999:7:::
mail:*:14866:0:99999:7:::

zaxxon · #2 10-01-2010

To check the status of an account you can issue following on Linux:

Code:

$> passwd -S sshd
sshd L 05/30/2007 0 99999 7 -1

pinga123 · #3 10-01-2010

Quote:

If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a
unix password to log in (but the user may log in the system by other means).

How would a locked user can able to login using other means?
are you referring to login by super user and issue su <locked username>?

---------- Post updated at 03:49 AM ---------- Previous update was at 03:30 AM ----------

P.S:
I would also like to know the GID range of my distribution .

I can find the UID range by examining UID of nobody user but how would i find the same for GID.

zaxxon · #4 10-01-2010

Into a locked account can't be logged in, not by any other means - that's why it is locked. Even if you try to su - from root to the locked account, this will not be possible to access it (try it out).

pinga123 · #5 10-01-2010

This contradict the above post by you.

---------- Post updated at 03:53 AM ---------- Previous update was at 03:52 AM ----------

4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.

zaxxon · #6 10-01-2010

Maybe I should read what I copy and paste to it's full length. I do not know other means they talk about or at least did not try any out - maybe another member of the forum can give you the answer or you just try out yourself some available to you.
Maybe using PAM and bypassing normal Unix login methods, idk.

To check the maximal value of a gid, I guess you take a look into your distributions header files in /usr/include (I checked on a Debian Linux):

Code:

somebox:/usr/include/bits> grep -i gid typesizes.h
#define __GID_T_TYPE            __U32_TYPE
somebox:/usr/include/bits> grep __U32_TYPE types.h
#define __U32_TYPE              unsigned int
__STD_TYPE __U32_TYPE __socklen_t;

pinga123 · #7 10-01-2010

Nice question .I was written in the security manual that all GID must be within range for the distribution.

Quote:

The user “nobody” traditionally got the largest possible UID (as the opposite of the Superuser): 32767. ---Source wikipedia.

Sadly this is not the case in my distribution.

Quote:

cat /etc/passwd | grep nobody
nobody:x:99:99:Nobody:/:/sbin/nologin

However i checked the /usr/include/bits but there is no such directory called bits.
Instead i got it under /usr/include/pppd/pppd.h

Quote:

# grep -i gid /usr/include/pppd/pppd.h
#ifndef GIDSET_TYPE
#define GIDSET_TYPE gid_t

extern GIDSET_TYPE groups[NGROUPS_MAX]; /* groups the user is in */

Quote:

# grep -i gid_t /usr/include/pppd/pppd.h
#define GIDSET_TYPE gid_t

Still not sure if it is int or something else.

---------- Post updated at 05:07 AM ---------- Previous update was at 05:02 AM ----------

Do you think its int as i got following.

Quote:

#define GIDSET_TYPE gid_t
/usr/include/libsmbclient.h:int smbc_chown(const char *url, uid_t owner, gid_t group);
/usr/include/libdevmapper.h:int dm_task_set_gid(struct dm_task *dmt, gid_t gid);

Thread Tools	Search this Thread
Show Printable Version Email this Page Subscribe to this Thread	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

More UNIX and Linux Forum Topics You Might Find Helpful
Thread	Thread Starter	Forum	Replies	Last Post
/etc/shadow encrypted password	presul	UNIX for Advanced & Expert Users	1	07-25-2010 08:04 AM
Password Recovery From /etc/shadow file	ksvaisakh	Solaris	6	09-27-2009 01:54 AM
shadow file after a password reset	progressdll	UNIX for Dummies Questions & Answers	0	10-31-2007 05:18 AM
I want to append password in /etc/shadow file	modgil	Shell Programming and Scripting	5	03-21-2006 11:08 PM
remove shadow password	gizaa	UNIX for Dummies Questions & Answers	2	08-03-2004 07:30 PM

The Following User Says Thank You to zaxxon For This Useful Post:
pinga123 (10-01-2010)