Search This Blog

Friday, October 1, 2010

/etc/shadow file.

Hardening guidelines for /etc/shadow files are as follows.

1) It should be owned by root and have permission of 600 or more restrictive.
e.g.
# ls -l /etc/shadow
-r-------- 1 root root 890 Sep 28 05:29 /etc/shadow
In above case its more restrictive i.e. 400 even root is not given write access by default.

2) Each Line must contain a unique user name and should not contain any blank line.
3) First two fields i.e username and password should not be blank.
4) Password filed should be more than 13-24 Character long.
e.g.

admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::

"$1$" it means the MD5-based algorithm was used while encrypting the password.
5) Password for root account should not be assigned to any other account.
6) All locked accounts must have a single exclamation mark "!" as the first character of the Passwd field.

for example.
following are some lines from /etc/shadow file.

vcsa:!!:14866:0:99999:7:::
sshd:!!:14866:0:99999:7:::
ftp:*:14866:0:99999:7:::
nobody:*:14866:0:99999:7:::
bkpadmin:$1$IgKNf9Xa$fvt5T9rIOzLxe9yvU9i870:14882:0:99999:7:::

There counterparts in /etc/passwd file.
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
bkpadmin:x:500:500::/home/bkpadmin:/sbin/nologin

here are the status of the username.

# passwd -S vcsa
vcsa LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S sshd
sshd LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S bkpadmin
bkpadmin PS 2010-09-30 0 99999 7 -1 (Password set, MD5 crypt.)


statusStatus of the name:

PS = Passworded
LK = Locked
NP = No Password



as you can see.
vcsa and sshd both have ! as first character in password filed (2nd field).This is well justified using passwd -S .

7) Application accounts which are not locked must contain only an asterisk “*” in the Passwd field.
For example.

ftp:*:14866:0:99999:7:::
nobody:*:14866:0:99999:7:::

Above users are used for application and hence they are locked but Alternate authentication is used for them.
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)

More on this soon...

6 comments:

  1. Could you advise what is the use of /etc/passwd- and /etc/shadow-

    ReplyDelete
  2. In all Unix like operating systems.
    Shadow password mechanism is used for adding more security level to password.
    when you compare both /etc/passwd and etc/shadow file.

    # ls -ltr /etc/passwd
    -rw-r--r-- 1 root root 1336 May 20 2010 /etc/passwd
    # ls -ltr /etc/shadow
    -r-------- 1 root root 888 Oct 21 11:40 /etc/shadow

    You can see only root is allowed to read the shadow file.
    if you maintain your passwords in /etc/passwd then it becomes readable by everyone.However use of shadow file only letter x is displayed in place of password and original password is maintained in shadow file in encrypted format.

    You can get more information here
    http://en.wikipedia.org/wiki/Shadow_password

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Application accounts which are not locked must contain only an asterisk “*” in the Passwd field

    command to change accounts to '*'

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. You may like to view this.
    http://www.cyberciti.biz/tips/what-is-the-best-way-to-edit-etcpasswd-shadow-and-group-files.html

    ReplyDelete