The Shadow Password Suite features all of the commands related to managing Linux users and groups, including those already addressed in this chapter. By default, Red Hat Linux uses this suite to provide additional security through encrypted passwords in the /etc/shadow and /etc/gshadow files. These files require commands to convert passwords to and from the companion /etc/passwd and /etc/ group configuration files.
These encrypted password files have more restrictive permissions than /etc/passwd or /etc/group; only the root user is allowed to even view these files, and they are not writeable by default.
However, these additional security provisions may not do you much good unless your passwords are strong, as we explain the next section .
One of the major password-testing programs is known as crack. A version of it is available as part of the cracklib* RPM packages. You should use it only to test the security of your users passwords.
By default, Red Hat Linux discourages the use of simple passwords, such as dictionary words, or simple patterns, such as abcd . Readily available password-cracking programs can decipher such passwords in minutes. In contrast, the best passwords are based on a combination of upper- and lowercase letters and numbers ; such passwords can take weeks for the same programs to decipher. One easy way to set up such passwords is based on a favorite sentence ; for example, Ira3mmoW could stand for I ran a 3 minute mile on Wednesday.
When you use the passwd command, you get to type in the new desired password twice. If your passwords don t match, you ll see a warning to that effect. After pressing Enter, you re then taken to the original prompt where you can try again.
Two commands are associated with converting user passwords in the Shadow Password Suite: pwconv and pwunconv .
pwconv Converts an existing /etc/passwd file. Passwords that currently exist in /etc/passwd are replaced by an " x "; the encrypted password, username, and other relevant information are transferred to the /etc/shadow file. If you ve recently added new users by editing the /etc/passwd file in a text editor, you can run this command again to convert the passwords associated with any new users. This works even if other passwords are already encrypted in /etc/shadow .
pwunconv Passwords are transferred back to /etc/passwd , and the /etc/shadow file is deleted. Be careful, because this also deletes any password-aging information (see the chage command described earlier) otherwise saved in /etc/shadow .
As we discussed earlier, you can configure group administrators in /etc/group and assign associated passwords with gpasswd . Once you have group passwords, you may have the same security concerns as with regular user passwords. Two commands are associated with converting user passwords in the Shadow Password Suite: grpconv and grpunconv .
grpconv Converts an existing /etc/group file. The relevant information is transferred to /etc/gshadow .
grpunconv Reverses the process of the grpconv command; like pwunconv , this command also deletes any existing /etc/gshadow file.