03-09-2012
Research the crypt function for details on how UNIX password encryption worked historically, and the shadow system for when they moved that out of /etc/passwd completely.
UNIX as its now known never stored passwords in plaintext, that would be preposterous. /etc/passwd must be world-readable, they must be protected in some way. They didn't just encrypt the passwords, they encrypted them irretrievably. Not even the operating system can tell what the hashes are supposed to mean. Instead, when you login, it takes a hash of what you typed and compares the result to see if it's identical to the hash stored in /etc/passwd. If they match, you login.
There turned out to be vulnerabilities in letting everyone see all the hashes. If you happen to have the same password as someone else, you might notice the identical hash, something they fixed with a random salt which obscures the hashes from being checked quite so easily. Still, however, you can't go backwards from a hash, but you can check a thousand strings from a dictionary and all 256 of their salts to see if any of them become that same hash. They took measures to make crypt() too unwieldy to do that quickly, but advances in computing soon made it not unwieldy enough, and the password hashes were split out into a "shadow" file, which is only readable by root.
The old-fashioned UNIX crypt() algorithm is is mostly obsolete, now, but has been extended to allow other kinds of encryption in the same sort of stored hash.
As for echoing back to the screen, UNIX terminal control is also about as old as UNIX itself -- what else would they control them with back then? I suspect the ability to turn off echo predates UNIX, even.
Last edited by Corona688; 03-09-2012 at 12:43 PM..
9 More Discussions You Might Find Interesting
1. Solaris
I have SunOs 5.8. I need to change password using a unix shell script. I have tried to pipe the passwords to the passwd command but does not work. Pls provide a script to change passwds of a list of users using a shell script.
( I have also tried crypt() but did not work)
The flow of the... (2 Replies)
Discussion started by: tofani
2 Replies
2. UNIX for Dummies Questions & Answers
The local policy is set in our LAN so that passwords have to be 8 characters and contain a capital letter, a small letter and a special character. Is Unix able to restrict users passwords to certain lengths and characters. (1 Reply)
Discussion started by: wmosley2
1 Replies
3. UNIX for Advanced & Expert Users
How the unix is maintaining the password ?
How it does the encryption and how the passwords are stored in the system and where it is stored ?
How it is better when compared to other OS ? (1 Reply)
Discussion started by: nagalenoj
1 Replies
4. Shell Programming and Scripting
Hi
Most of the shell scripts I am dealing with have to connect to oracle database . The username password is stored in a environment file which sets the variables for username and password . Set user id do not work on AIX so users who will execute these scripts need to have read or execute... (5 Replies)
Discussion started by: clifford
5 Replies
5. Shell Programming and Scripting
We have almost 100+ Unix/Linux servers, on which I have account.
Does anybody have a batch script which can do the following :
- check if my password is correct
- change my password
We use SFTP/SSH on Linux. The solution should force reading of password from command line. ( Passwordless... (1 Reply)
Discussion started by: lucknowm
1 Replies
6. Cybersecurity
Hi,
By reporting the process status with ps, any Unix user will see the command line arguments
#ps -ef
UID PID PPID C STIME TTY TIME CMD
lsc 13837 13825 0 May 11 pts/17 0:01 -ksh
oracle 4698 6294 0 12:00:40 ? 0:00 sqlplus -s system/manager
appluser 4229 4062 0 12:00:03... (2 Replies)
Discussion started by: bhagirathi
2 Replies
7. Shell Programming and Scripting
Hi All ,
I need to call a script runscript_B.sh on server A, the runscript_B.sh script locating in server B.
The runscript_B.sh in calls another script runscript_A on server A itself.
it seend, i need to be connect from Server A to Server B using ssh.
I have tryed like this in... (3 Replies)
Discussion started by: koti_rama
3 Replies
8. AIX
Does anyone know when AIX started using /etc/security/passwd instead of /etc/passwd to store encrypted passwords? (1 Reply)
Discussion started by: Anne Neville
1 Replies
9. Shell Programming and Scripting
Hello Experts,
Need some direction on creating shell script for following environment:
We have about 20 people in the team working as Oracle DBA's (sysdba's and appdba's). Total Servers which is a mix of Unix and Linux are 200. We do not have Root user access on any of the servers and... (3 Replies)
Discussion started by: sha2402
3 Replies
LEARN ABOUT LINUX
chpasswd
CHPASSWD(8) System Management Commands CHPASSWD(8)
NAME
chpasswd - update passwords in batch mode
SYNOPSIS
chpasswd [options]
DESCRIPTION
The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of
existing users. Each line is of the format:
user_name:password
By default the passwords must be supplied in clear-text, and are encrypted by chpasswd. Also the password age will be updated, if present.
By default, passwords are encrypted by PAM, but (even if not recommended) you can select a different encryption method with the -e, -m, or
-c options.
Except when PAM is used to encrypt the passwords, chpasswd first updates all the passwords in memory, and then commits all the changes to
disk if no errors occured for any user.
When PAM is used to encrypt the passwords (and update the passwords in the system database) then if a password cannot be updated chpasswd
continues updating the passwords of the next users, and will return an error code on exit.
This command is intended to be used in a large system environment where many accounts are created at a single time.
OPTIONS
The options which apply to the chpasswd command are:
-c, --crypt-method METHOD
Use the specified method to encrypt the passwords.
The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods.
By default, PAM is used to encrypt the passwords.
-e, --encrypted
Supplied passwords are in encrypted form.
-S, --stdout
Report encrypted passwords to stdout instead of updating password file.
-h, --help
Display help message and exit.
-m, --md5
Use MD5 encryption instead of DES when the supplied passwords are not encrypted.
-s, --sha-rounds ROUNDS
Use the specified number of rounds to encrypt the passwords.
The value 0 means that the system will choose the default number of rounds for the crypt method (5000).
A minimal value of 1000 and a maximal value of 999,999,999 will be enforced.
You can only use this option with the SHA256 or SHA512 crypt method.
By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.
CAVEATS
Remember to set permissions or umask to prevent readability of unencrypted files by other users.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)
When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when
the number of rounds is not specified on the command line).
With a lot of rounds, it is more difficult to brute forcing the password. But note also that more CPU resources will be needed to
authenticate users.
If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000-999999999 range.
If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.
If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used.
Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM
configuration. It is recommended to set this variable consistently with the PAM configuration.
FILES
/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/login.defs
Shadow password suite configuration.
/etc/pam.d/chpasswd
PAM configuration for chpasswd.
SEE ALSO
passwd(1), newusers(8), login.defs(5), useradd(8).
System Management Commands 06/24/2011 CHPASSWD(8)