Difference between revisions of "Redhat: Shadow"

From Define Wiki
Jump to navigation Jump to search
 
(5 intermediate revisions by the same user not shown)
Line 59: Line 59:
  
 
<syntaxhighlight>
 
<syntaxhighlight>
 +
AAAS_TEST:x:30588:
 +
manu_iitk:x:30589:
 +
jump_trading:x:30590:
 +
saha_pec:x:30591:
 +
</syntaxhighlight>
  
</syntaxhighlight>
+
{| class="wikitable"
 +
| Group Name
 +
| admins
 +
| The name of the group
 +
|-
 +
| Password
 +
| x
 +
| The group password.  An 'x' shows the password is in the gshadow file, otherwise its the encrypted password.
 +
|-
 +
| GroupID
 +
| 500
 +
| The group ID, satrts at 500 and will normally match the User ID of the same name.
 +
|-
 +
| Group Members
 +
| michael,dave
 +
| The members of the group, if there are none the the user with the same name is the only member
 +
|-
 +
|}
  
 
== shadow ==
 
== shadow ==
 +
 +
The shadow file is an extension of the passwd file.  It contains 8 columns of information.  There is will be line for every user in the passwd file, where the passwd column contains 'x'.
 +
 +
{| class="wikitable"
 +
| Username
 +
| The username of the account
 +
|-
 +
| Password
 +
| Encrypted Password
 +
|-
 +
| Password History
 +
| Date of last password change in days since jan 1st 1970
 +
|-
 +
| mindays
 +
| Minumum number of days a user must keep a password
 +
|-
 +
| maxdays
 +
| Maximum number of days after which the password must be changed
 +
|-
 +
| warndays
 +
| Number of days before password expiration to warn the user
 +
|-
 +
| inactive
 +
| Number of days after password expiration to make account inactive
 +
|-
 +
| disabled
 +
| Number of days after password expiration to disable account
 +
|-
 +
|}
  
 
== gshadow ==
 
== gshadow ==
 +
 +
The shadow file for the groups.  Used for hashing the passwords for the groups.
 +
 +
{| class="wikitable"
 +
| Group Name
 +
| admins
 +
| The name of the group
 +
|-
 +
| Password
 +
| !
 +
| The group password.  An '!' shows there is no password, otherwise its the encrypted password.
 +
|-
 +
| GroupID
 +
| 500
 +
| The group ID, satrts at 500 and will normally match the User ID of the same name.
 +
|-
 +
| Group Members
 +
| michael,dave
 +
| The members of the group, if there are none the the user with the same name is the only member
 +
|-
 +
|}
  
 
== login.defs ==
 
== login.defs ==
 +
 +
The login.defs file provides the baseline parameters for the shadow password suite.
 +
 +
{| class="wikitable"
 +
| Mail_DIR
 +
| The directory with locally delivered Emails
 +
|-
 +
| PASS_MAX_DAYS
 +
| After this number of days the password must be changed
 +
|-
 +
| PASS_MIN_DAYS
 +
| Passwords must be kept for this many days
 +
|-
 +
| PASS_MIN_LEN
 +
| Warning given if password set is less than this length
 +
|-
 +
| PASS_WARN_AGE
 +
| Warns this many days before PASS_MAX_DAYS
 +
|-
 +
| UID_MIN
 +
| Minimum User ID
 +
|-
 +
| UID_MAX
 +
| Maximum UserID
 +
|-
 +
| GID_MIN
 +
| Minimum Group ID
 +
|-
 +
| GID_MAX
 +
| Maximum Group ID
 +
|-
 +
| CREATE_HOME yes
 +
| Create home directory by defualt
 +
|-
 +
| UMASK 077
 +
| The USMASK for file permisions, if not defined else where
 +
|-
 +
| USERGROUPS_ENAB
 +
| Create private user groups
 +
|-
 +
| ENCRYPT_MATHOD
 +
| The default encryption method
 +
|-
 +
|}

Latest revision as of 14:03, 30 August 2013

The Redhat Shadow Password Suite

Before security became an issue all users and passwords were stored in /etc/passwd and /etc/group files. But having the passwords stored in a reachable file is obviously not an option any more. The shadow password suite is designed to solve this problem. Sensitive data such as passwords have been moved to a file only accessible to the root user.

The Shadow password suite consists of four files. /etc/passwd and /etc/group are the files used origanally. Two files have been added to the suite: /etc/shadow and /etc/gshadow. The default values of the files are defined in /etc/login.defs


passwd

The passwd file contain teh basic information about every user on the system. Each user has seven columns of information. 

AAAS_TEST:x:30587:30588::/home/AAAS_TEST:/bin/bash
tom_gds:x:30588:30589::/home/tom_gds:/bin/bash
manu_iitk:x:30589:30589::/home/manu_iitk:/bin/bash
jump_trading:x:30590:30590::/home/jump_trading:/bin/bash
saha_pec:x:30591:30591::/home/saha_pec:/bin/bash
Username michael The username used to log into the system
Password x The password of the user. An 'x' means the password in in the shadow file, an '*' means the account is disabled or the encrypted password.
User ID 500 numeric user ID - users IDs start at 500 by default
Group ID 500 numeric gorup ID - group IDs start at 500 by default. Redhat will create a group for every user which will normally have the same id as the user.
User Info Michael H any extra information
Home Directory /home/michael The users home direcotory, by default in /home/<username>
Login Shell /bin/bash The shell used by the user, by default this is bash

A service account is have the /bin/nologin sheell. This prevents anyone logging into the system as a service. If you see a service logged in it likely means that someone has broken into the system

group

Every user is assinged by default to a group with the same name, their private group. This group will only have that user as a member.

Each group is defined in the group file using four columns of information 

AAAS_TEST:x:30588:
manu_iitk:x:30589:
jump_trading:x:30590:
saha_pec:x:30591:
Group Name admins The name of the group
Password x The group password. An 'x' shows the password is in the gshadow file, otherwise its the encrypted password.
GroupID 500 The group ID, satrts at 500 and will normally match the User ID of the same name.
Group Members michael,dave The members of the group, if there are none the the user with the same name is the only member

shadow

The shadow file is an extension of the passwd file. It contains 8 columns of information. There is will be line for every user in the passwd file, where the passwd column contains 'x'.

Username The username of the account
Password Encrypted Password
Password History Date of last password change in days since jan 1st 1970
mindays Minumum number of days a user must keep a password
maxdays Maximum number of days after which the password must be changed
warndays Number of days before password expiration to warn the user
inactive Number of days after password expiration to make account inactive
disabled Number of days after password expiration to disable account

gshadow

The shadow file for the groups. Used for hashing the passwords for the groups.

Group Name admins The name of the group
Password ! The group password. An '!' shows there is no password, otherwise its the encrypted password.
GroupID 500 The group ID, satrts at 500 and will normally match the User ID of the same name.
Group Members michael,dave The members of the group, if there are none the the user with the same name is the only member

login.defs

The login.defs file provides the baseline parameters for the shadow password suite.

Mail_DIR The directory with locally delivered Emails
PASS_MAX_DAYS After this number of days the password must be changed
PASS_MIN_DAYS Passwords must be kept for this many days
PASS_MIN_LEN Warning given if password set is less than this length
PASS_WARN_AGE Warns this many days before PASS_MAX_DAYS
UID_MIN Minimum User ID
UID_MAX Maximum UserID
GID_MIN Minimum Group ID
GID_MAX Maximum Group ID
CREATE_HOME yes Create home directory by defualt
UMASK 077 The USMASK for file permisions, if not defined else where
USERGROUPS_ENAB Create private user groups
ENCRYPT_MATHOD The default encryption method
Retrieved from "http://wiki.define-technology.com/mediawiki-1.35.0/index.php?title=Redhat:_Shadow&oldid=3517"