1) It should be owned by root and have permission of 600 or more restrictive.
e.g.
# ls -l /etc/shadow
-r-------- 1 root root 890 Sep 28 05:29 /etc/shadow
In above case its more restrictive i.e. 400 even root is not given write access by default.
2) Each Line must contain a unique user name and should not contain any blank line.
3) First two fields i.e username and password should not be blank.
4) Password filed should be more than 13-24 Character long.
e.g.
admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::
"$1$" it means the MD5-based algorithm was used while encrypting the password.
5) Password for root account should not be assigned to any other account.
6) All locked accounts must have a single exclamation mark "!" as the first character of the Passwd field.
for example.
following are some lines from /etc/shadow file.
vcsa:!!:14866:0:99999:7:::
sshd:!!:14866:0:99999:7:::
ftp:*:14866:0:99999:7:::
nobody:*:14866:0:99999:7:::
bkpadmin:$1$IgKNf9Xa$fvt5T9rIOzLxe9yvU9i870:14882:0:99999:7:::
There counterparts in /etc/passwd file.
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
bkpadmin:x:500:500::/home/bkpadmin:/sbin/nologin
here are the status of the username.
# passwd -S vcsa
vcsa LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S sshd
sshd LK 2010-09-14 0 99999 7 -1 (Password locked.)
# passwd -S ftp
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S bkpadmin
bkpadmin PS 2010-09-30 0 99999 7 -1 (Password set, MD5 crypt.)
statusStatus of the name:
PS = Passworded
LK = Locked
NP = No Password
as you can see.
vcsa and sshd both have ! as first character in password filed (2nd field).This is well justified using passwd -S
7) Application accounts which are not locked must contain only an asterisk “*” in the Passwd field.
For example.
nobody:*:14866:0:99999:7:::
ftp LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
# passwd -S nobody
nobody LK 2010-09-14 0 99999 7 -1 (Alternate authentication scheme in use.)
Could you advise what is the use of /etc/passwd- and /etc/shadow-
ReplyDeleteIn all Unix like operating systems.
ReplyDeleteShadow password mechanism is used for adding more security level to password.
when you compare both /etc/passwd and etc/shadow file.
# ls -ltr /etc/passwd
-rw-r--r-- 1 root root 1336 May 20 2010 /etc/passwd
# ls -ltr /etc/shadow
-r-------- 1 root root 888 Oct 21 11:40 /etc/shadow
You can see only root is allowed to read the shadow file.
if you maintain your passwords in /etc/passwd then it becomes readable by everyone.However use of shadow file only letter x is displayed in place of password and original password is maintained in shadow file in encrypted format.
You can get more information here
http://en.wikipedia.org/wiki/Shadow_password
This comment has been removed by the author.
ReplyDeleteApplication accounts which are not locked must contain only an asterisk “*” in the Passwd field
ReplyDeletecommand to change accounts to '*'
This comment has been removed by the author.
ReplyDeleteYou may like to view this.
ReplyDeletehttp://www.cyberciti.biz/tips/what-is-the-best-way-to-edit-etcpasswd-shadow-and-group-files.html