Shadow file password policy

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Shadow file password policy
# 1  
Old 10-01-2010
Shadow file password policy

Today i was going through some of security guides written on linux .

Under shadow file security following points were mentioned.

1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.
2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.
3)password for application Username should display * if username is not locked.
4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?

Confusion for point 3 and 4:
There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.
How would i check whether they are actually locked or not.

I m posting the output of /etc/shadow and /etc/passwd files for the account.

/etc/passwd
Quote:
admin:x:500:500::/home/admin:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
/etc/shadow

Quote:
admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::
ntp:!!:14866:0:99999:7:::
mail:*:14866:0:99999:7:::
# 2  
Old 10-01-2010
To check the status of an account you can issue following on Linux:
Code:
$> passwd -S sshd
sshd L 05/30/2007 0 99999 7 -1

From the man page of passwd:
Code:
       -S, --status
           Display account status information. The status information consists of 7 fields. The first field is the users login name. The second
           field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field gives
           the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the
           password. These ages are expressed in days.

About the rules with the 14-25 characters for password length I would not worry since the binaries and libraries dealing with that usually work as intended.

Also something from the man page of shadow that might help:
Code:
       encrypted password
           Refer to crypt(3) for details on how this string is interpreted.

           If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a
           unix password to log in (but the user may log in the system by other means).

           This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications
           which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

           A password field which starts with a exclamation mark means that the password is locked. The remaining characters on the line represent
           the password field before the password was locked.

This User Gave Thanks to zaxxon For This Post:
# 3  
Old 10-01-2010
Quote:
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a
unix password to log in (but the user may log in the system by other means).
How would a locked user can able to login using other means?
are you referring to login by super user and issue su <locked username>?

---------- Post updated at 03:49 AM ---------- Previous update was at 03:30 AM ----------

P.S:
I would also like to know the GID range of my distribution .

I can find the UID range by examining UID of nobody user but how would i find the same for GID.
# 4  
Old 10-01-2010
Into a locked account can't be logged in, not by any other means - that's why it is locked. Even if you try to su - from root to the locked account, this will not be possible to access it (try it out).
# 5  
Old 10-01-2010
This contradict the above post by you.

---------- Post updated at 03:53 AM ---------- Previous update was at 03:52 AM ----------

4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.
# 6  
Old 10-01-2010
Maybe I should read what I copy and paste to it's full length. I do not know other means they talk about or at least did not try any out - maybe another member of the forum can give you the answer or you just try out yourself some available to you.
Maybe using PAM and bypassing normal Unix login methods, idk.

To check the maximal value of a gid, I guess you take a look into your distributions header files in /usr/include (I checked on a Debian Linux):
Code:
somebox:/usr/include/bits> grep -i gid typesizes.h
#define __GID_T_TYPE            __U32_TYPE
somebox:/usr/include/bits> grep __U32_TYPE types.h
#define __U32_TYPE              unsigned int
__STD_TYPE __U32_TYPE __socklen_t;

I am not totally sure but I think that is what defines the max for the gid in the system. On a 32-bit system this would 2^32-1 ie. 4294967295 afaik.
Just out of curiosity - why do you need to know that?
# 7  
Old 10-01-2010
Nice question .I was written in the security manual that all GID must be within range for the distribution.


Quote:
The user “nobody” traditionally got the largest possible UID (as the opposite of the Superuser): 32767. ---Source wikipedia.
Sadly this is not the case in my distribution.
Quote:
cat /etc/passwd | grep nobody
nobody:x:99:99:Nobody:/:/sbin/nologin
However i checked the /usr/include/bits but there is no such directory called bits.
Instead i got it under /usr/include/pppd/pppd.h

Quote:
# grep -i gid /usr/include/pppd/pppd.h
#ifndef GIDSET_TYPE
#define GIDSET_TYPE gid_t

extern GIDSET_TYPE groups[NGROUPS_MAX]; /* groups the user is in */
Quote:
# grep -i gid_t /usr/include/pppd/pppd.h
#define GIDSET_TYPE gid_t
Still not sure if it is int or something else.

---------- Post updated at 05:07 AM ---------- Previous update was at 05:02 AM ----------

Do you think its int as i got following.

Quote:
#define GIDSET_TYPE gid_t
/usr/include/libsmbclient.h:int smbc_chown(const char *url, uid_t owner, gid_t group);
/usr/include/libdevmapper.h:int dm_task_set_gid(struct dm_task *dmt, gid_t gid);
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. AIX

Password Policy

I need help. I have set a password policy. But I want to dis allow setting user name as password. My policy is as below... min length =8 min diff=2 min alpha=2 max repeats=2 dictionary= /usr/share/dict/words Still user can set his username as password (i.e. Jackie1234). Code tags for... (11 Replies)
Discussion started by: powerAIX
11 Replies

2. Ubuntu

Password Expiration Policy

Hello Team, I am using Lubuntu & have DRBL remote boot setup with open Ldap authentication. Currently there is no password expire policy. I want to set Password Policy so that user's password will expire after a month & they will get prompt to change their password. Using PAM we can do it,... (1 Reply)
Discussion started by: paragnehete
1 Replies

3. UNIX for Dummies Questions & Answers

Using the encrypted password of the shadow file

i have an application that uses the encrypted password that's in the /etc/shadow file. i copied the line for the particular username i was interested it in from shadow file and i pasted it into the password file of the application. the application is nagios. this application allowed that... (5 Replies)
Discussion started by: SkySmart
5 Replies

4. Shell Programming and Scripting

how to remove the non : characters after the password in shadow file?

On SPARC Solaris 10. I set the app account so it's expired. I also want it so not required to change password at first login, I can do this by removing the numbers after the password in /etc/shadow. example using user1 The /etc/shadow file looks like this: user1:kOmcVXAImRTAY:0::::90:: ... (8 Replies)
Discussion started by: TKD
8 Replies

5. Solaris

password policy for new user

hi folk, i try to setup a new password policy for our solaris box user, below are the /etc/default/passwd/, but then when i tried to create a user, it didn't ask for numeric character, and the new password also didn't ask for special characters. # useradd testing # passwd testing New... (7 Replies)
Discussion started by: dehetoxic
7 Replies

6. Red Hat

NIS password policy

Hi, I am running NIS server on redhat linux 5 and I want to implement password restrictions for the yppasswd, how can I do it.Please help me. I can implement password restriction for passwd by configuring /etc/pam.d/system-auth and setting crack_lib.so but I don't know how to implent the same... (3 Replies)
Discussion started by: ktrimu
3 Replies

7. Solaris

Password policy problem ??

Hi Solaris's expert I need to change user password on Solaris10 2 servers. With the same password I can change it just only one. Try to check everything but not found difference?? password pattern: abcdeFgh9Jk server1 check all characters but server2 check only first 8 characters.Why??... (10 Replies)
Discussion started by: arm_naja
10 Replies

8. Solaris

Password Recovery From /etc/shadow file

Is it possible to reset a normal user password , by editing password field in /etc/shadow file? Thanks (6 Replies)
Discussion started by: ksvaisakh
6 Replies

9. UNIX for Dummies Questions & Answers

shadow file after a password reset

hi, I had to reset a lost root password by editing the /etc/passwd and /etc/shadow files ( this is a xen vm file, so i mounted and chrooted the file ) after the reboot with an empty password on root , i have set a new password with passwd but it only changed the /etc/passwd file.... (0 Replies)
Discussion started by: progressdll
0 Replies

10. Shell Programming and Scripting

I want to append password in /etc/shadow file

Hi, I want to append password into /etc/shadow file using a shell script. My below script does add the users to both /etc/passwd and /etc/shadow but how can I add the hordcoded passwords to /etc/shadow file can some one help me ? # To add the groups into /etc/group file for a_user... (5 Replies)
Discussion started by: modgil
5 Replies
Login or Register to Ask a Question