Shadow

From LQWiki
Jump to: navigation, search

The shadow file (/etc/shadow) stores passwords and expiry dates in encrypted form in a colon-delimited text file akin to /etc/passwd - which formerly held unencrypted passwords and now contains all kinds of information about users except the password.

Password Security

Passwords are stored in the shadow file in a secure manner, not only using a cryptographically-secure hash (one-way) function, but further adding to the uniqueness of the hash by a method called salting. A combination of the time the password was created, as well as the process ID (pid) of the process generating the hash are concatenated to the user's password before hashing, and then stored separately, in order that they might be used during authentication. The file also normally has much more restrictive permissions than the /etc/passwd file, which contained similar information in early Unix versions.

This protects against users determining that other users' passwords are the same as theirs by virtue of an identical hash. It also protects against rainbow tables' effectiveness in cracking these passwords by increasing the complexity of the process of both generating and using the results of rainbow tables.

Authentication

When a user attempts to log into the system, the salt (time and pid, as above) are first concatenated to the password provided by the user, then hashed with the same function, and the computed value compared to the one stored in the shadow file. If they match, the login is successful.

Tips

This should not be readable by a regular user. If a user can see this file, they can copy your password hashes, and attempt a brute force crack. Permissions should be something like:

-rw-r-----    1 root     shadow        size date /etc/shadow

or

-rw-------    1 root     root          size date /etc/shadow

See also

External Links

shadow(5) manpage