The Password Files

A user gains access to an account by providing a correct login and password. The system maintains passwords in password files, along with login information like the user name and ID. Tools like the passwd command let users change their passwords by modifying these files. /etc/passwd is the file that traditionally held user passwords, though in encrypted form. However, all users are allowed to read the /etc/passwd file, which would have allowed access by users to the encrypted passwords. For better security, password entries are kept in the /etc/shadow file, which is restricted to the root user.

/etc/passwd

When you add a user, an entry for that user is made in the /etc/passwd file, commonly known as the password file. Each entry takes up one line that has several fields separated by colons. The fields are as follows:

• Username   Login name of the user

• Password   Encrypted password for the user's account

• User ID   Unique number assigned by the system

• Group ID   Number used to identify the group to which the user belongs

• Comment   Any user information, such as the user's full name

• Home directory   The user's home directory

• Login shell   Shell to run when the user logs in; this is the default shell, usually /bin/bash

Depending on whether or not you are using shadow passwords, the password field (the second field) will be either an x or an encrypted form of the user's password. Red Hat implements shadow passwords by default, so these entries should have an x for their passwords. The following is an example of an /etc/passwd entry. For such entries, you must use the passwd command to create a password. Notice also that user IDs in this particular system start at 500 and increment by one. With Red Hat, the group given is not the generic User, but a group consisting uniquely of that user. For example, the dylan user belongs to a group named Dylan, not to the generic User group.

dylan:x:500:500:Dylan:/home/dylan:/bin/bash chris:x:501:501:Chris:/home/chris:/bin/bash

/etc/shadow and /etc/gshadow

The /etc/passwd file is a simple text file and is vulnerable to security breaches. If anyone gains access to the /etc/password file, they might be able to decipher or crack the encrypted passwords through a brute-force crack. The shadow suite of applications implements a greater level of security. These include versions of useradd, groupadd, and their corresponding update and delete programs. Most other user configuration tools, including redhat-config- users, support shadow security measures. With shadow security, passwords are no longer kept in the /etc/password file. Instead, passwords are kept in a separate file called /etc/shadow. Access is restricted to the root user.

The following example shows the /etc/shadow entries for two users, listing their encrypted passwords. The entry for chris has an x in its Password field, indicating that a password has not yet been created for this user:

dylan:YOTPd3Pyy9hAc:500:500:Dylan:/home/dylan:/bin/bash chris:x:501:501:Chris:/home/chris:/bin/bash

A corresponding password file, called /etc/gshadow, is also maintained for groups that require passwords. Red Hat supports shadow passwords by default. You can manually specify whether you want to use shadow passwords with the Red Hat authentication tool.

Password Tools

To change any particular field for a given user, you should use the user management tools provided, such as the passwd command, redhat-config-users, adduser, usermod, useradd, and chage, discussed in this chapter. The passwd command lets you change the password only. Other tools, such as redhat-config-users, not only make entries in the /etc/passwd file but also create the home directory for the user and install initialization files in the user's home directory.

These tools also let you control a user's access to their accounts. You can set expiration dates for users or lock them out of their accounts. Users locked out of their accounts will have their password in the /etc/shadow file prefixed by the invalid string, !!. Unlocking the account removes this prefix.