Difference between revisions of "Redhat: Shadow"
(→group) |
(→shadow) |
||
| Line 85: | Line 85: | ||
== shadow == | == shadow == | ||
| + | |||
| + | The shadow file is an extension of the passwd file. It contains 8 columns of information. There is will be line for every user in the passwd file, where the passwd column contains 'x'. | ||
| + | |||
| + | {| class="wikitable" | ||
| + | | Username | ||
| + | | The username of the account | ||
| + | |- | ||
| + | | Password | ||
| + | | Encrypted Password | ||
| + | |- | ||
| + | | Password History | ||
| + | | Date of last password change in days since jan 1st 1970 | ||
| + | |- | ||
| + | | mindays | ||
| + | | Minumum number of days a user must keep a password | ||
| + | |- | ||
| + | | maxdays | ||
| + | | Maximum number of days after which the password must be changed | ||
| + | |- | ||
| + | | warndays | ||
| + | | Number of days before password expiration to warn the user | ||
| + | |- | ||
| + | | inactive | ||
| + | | Number of days after password expiration to make account inactive | ||
| + | |- | ||
| + | | disabled | ||
| + | | Number of days after password expiration to disable account | ||
| + | |- | ||
| + | |} | ||
== gshadow == | == gshadow == | ||
== login.defs == | == login.defs == | ||
Revision as of 13:47, 30 August 2013
The Redhat Shadow Password Suite
Before security became an issue all users and passwords were stored in /etc/passwd and /etc/group files. But having the passwords stored in a reachable file is obviously not an option any more. The shadow password suite is designed to solve this problem. Sensitive data such as passwords have been moved to a file only accessible to the root user.
The Shadow password suite consists of four files. /etc/passwd and /etc/group are the files used origanally. Two files have been added to the suite: /etc/shadow and /etc/gshadow. The default values of the files are defined in /etc/login.defs
passwd
The passwd file contain teh basic information about every user on the system. Each user has seven columns of information.
AAAS_TEST:x:30587:30588::/home/AAAS_TEST:/bin/bash
tom_gds:x:30588:30589::/home/tom_gds:/bin/bash
manu_iitk:x:30589:30589::/home/manu_iitk:/bin/bash
jump_trading:x:30590:30590::/home/jump_trading:/bin/bash
saha_pec:x:30591:30591::/home/saha_pec:/bin/bash| Username | michael | The username used to log into the system |
| Password | x | The password of the user. An 'x' means the password in in the shadow file, an '*' means the account is disabled or the encrypted password. |
| User ID | 500 | numeric user ID - users IDs start at 500 by default |
| Group ID | 500 | numeric gorup ID - group IDs start at 500 by default. Redhat will create a group for every user which will normally have the same id as the user. |
| User Info | Michael H | any extra information |
| Home Directory | /home/michael | The users home direcotory, by default in /home/<username> |
| Login Shell | /bin/bash | The shell used by the user, by default this is bash |
A service account is have the /bin/nologin sheell. This prevents anyone logging into the system as a service. If you see a service logged in it likely means that someone has broken into the system
group
Every user is assinged by default to a group with the same name, their private group. This group will only have that user as a member.
Each group is defined in the group file using four columns of information
AAAS_TEST:x:30588:
manu_iitk:x:30589:
jump_trading:x:30590:
saha_pec:x:30591:| Group Name | admins | The name of the group |
| Password | x | The group password. An 'x' shows the password is in the gshadow file, otherwise its the encrypted password. |
| GroupID | 500 | The group ID, satrts at 500 and will normally match the User ID of the same name. |
| Group Members | michael,dave | The members of the group, if there are none the the user with the same name is the only member |
shadow
The shadow file is an extension of the passwd file. It contains 8 columns of information. There is will be line for every user in the passwd file, where the passwd column contains 'x'.
| Username | The username of the account |
| Password | Encrypted Password |
| Password History | Date of last password change in days since jan 1st 1970 |
| mindays | Minumum number of days a user must keep a password |
| maxdays | Maximum number of days after which the password must be changed |
| warndays | Number of days before password expiration to warn the user |
| inactive | Number of days after password expiration to make account inactive |
| disabled | Number of days after password expiration to disable account |