- colon-separated fields
- login name
- password
- UID
- GID
- GECOS field ("real name" info)
- home directory
- shell
- example
geoff:iV4t9f5s7z0eU:500:500:Geoff Allen,ITB 2159,335-0446:/home/geoff:/bin/bash
- login name (geoff in the example)
- letters and numbers only
- no more than 8 characters
- Some systems do allow longer login names, or characters other than just alphanumerics, but it's a good idea to keep them to 8 alphanumeric characters just to be safe
- password (iV4t9f5s7z0eU in the example)
- encrypted
- can't be decrypted
- National Security Agency is rumored to be able to, but we normal people can't
- But normal people can crack them
- Validation (at login, for example) is done by encrypting what is typed and comparing the encryption
- password tips
- Password should be:
- Easy to remember
- Security risk if written down
- Password of hg&k8$ will probably be on a Post-It stuck to the screen, or sheet of paper in desk
- Not personal
- If you're an amateur radio enthusiast, do not use your Ham call sign
- Mixture of letters, numbers, punctuation
- Never use a dictionary word
- shadow passwords
- Greater security
- encrypted password is in separate file (or database)
- actual location varies by system
- readable only by root
- Passwords can't be cracked, becuase they aren't available to non-root users
- Not as usable in distributed environment
- Differences among vendors
- IT uses a home-grown script to distribute shadow passwords
- Shadow passwords vs. NIS
- How to distribute?
- NIS is so insecure, that there's no point in worrying about shadow passwords
- A newly-created account should always have a password
- Accounts with no passwords are a major security hole
- Some adduser programs require a password, some don't
- Add a password if one isn't created along with the account
- Root can run the command passwd username to change any user's password
- UID (500 in the example)
- Unique identifier for each user
- Root is 0
- Best to start numbering of users at 100
- Best not to reuse UIDs
- Can cause problems with old files, disk quotas, etc.
- Reality may require re-use of UIDs
- GID (500 in the example)
- Default group specified in passwd file
- Can belong to many groups
- On some versions of Unix (generally older AT&T derived versions), you must use newgrp command to change groups
- GECOS Field (Geoff Allen,ITB 2159,335-0446 in example)
- Real name info
- Originally contained info for submitting jobs to GECOS mainframe
- finger command uses comma-separated format
- Full name, office, office phone, home phone
- chfn command modifies this field
- Home directory (/home/geoff in example)
- Default directory when logged in
- Where startup files are contained
- Depending on system, may not be able to log in if home directory is unavailable
- Shell
- Program the user runs when logged in
- Usually a command interpreter
- /bin/sh
- /bin/csh
- /bin/ksh
- Can be any program
- e.g. login sync runs /bin/sync
- Unfortunately, the format of shadow passwd information is different with every Unix platform.
- We'll look at how Red Hat does it, since that's what we use in the lab
- Colon delimited
- Username
- Encrypted password
- Date of last password change, in days (not seconds) since Jan 1, 1970
- Minimum number of days between password changes
- Generally a bad idea to restrict how often users can change their passwords.
- Maximum number of days between password changes
- i.e. if to require users to change passwords every three months, set this to 90
- Number of days before expiration to start warning users
- Days until disable
- This many days after the password expires, the account will be disabled
- Account expiration date, in days since Jan 1, 1970
- Flags (unused)
- Example:
geoff:iV4t9f5s7z0eU:11031::180:14::18627:
- In this example, geoff last changed his password on March 14, 2000, can change it any time, must change it again within 180 days, will get warnings for the last 2 weeks of that 180 days, won't get disabled for failing to log in after the password expiration date, and the account itself will expire on Dec 31, 2001
- Group name
- Password (not used for anything)
- GID
- Members (comma-separated)
- Example:
class:x:501:geoff,class,root