Redhat: Shadow
The Redhat Shadow Password Suite
Before security became an issue all users and passwords were stored in /etc/passwd and /etc/group files. But having the passwords stored in a reachable file is obviously not an option any more. The shadow password suite is designed to solve this problem. Sensitive data such as passwords have been moved to a file only accessible to the root user.
The Shadow password suite consists of four files. /etc/passwd and /etc/group are the files used origanally. Two files have been added to the suite: /etc/shadow and /etc/gshadow. The default values of the files are defined in /etc/login.defs
passwd
The passwd file contain teh basic information about every user on the system. Each user has seven columns of information.
AAAS_TEST:x:30587:30588::/home/AAAS_TEST:/bin/bash
tom_gds:x:30588:30589::/home/tom_gds:/bin/bash
manu_iitk:x:30589:30589::/home/manu_iitk:/bin/bash
jump_trading:x:30590:30590::/home/jump_trading:/bin/bash
saha_pec:x:30591:30591::/home/saha_pec:/bin/bash| Username | michael | The username used to log into the system |
| Password | x | The password of the user. An 'x' means the password in in the shadow file, an '*' means the account is disabled or the encrypted password. |
| User ID | 500 | numeric user ID - users IDs start at 500 by default |
| Group ID | 500 | numeric gorup ID - group IDs start at 500 by default. Redhat will create a group for every user which will normally have the same id as the user. |
| User Info | Michael H | any extra information |
| Home Directory | /home/michael | The users home direcotory, by default in /home/<username> |
| Login Shell | /bin/bash | The shell used by the user, by default this is bash |
A service account is have the /bin/nologin sheell. This prevents anyone logging into the system as a service. If you see a service logged in it likely means that someone has broken into the system
group
Every user is assinged by default to a group with the same name, their private group. This group will only have that user as a member.
Each group is defined in the group file using four columns of information
AAAS_TEST:x:30588:
manu_iitk:x:30589:
jump_trading:x:30590:
saha_pec:x:30591:| Group Name | admins | The name of the group |
| Password | x | The group password. An 'x' shows the password is in the gshadow file, otherwise its the encrypted password. |
| GroupID | 500 | The group ID, satrts at 500 and will normally match the User ID of the same name. |
| Group Members | michael,dave | The members of the group, if there are none the the user with the same name is the only member |
shadow
The shadow file is an extension of the passwd file. It contains 8 columns of information. There is will be line for every user in the passwd file, where the passwd column contains 'x'.
| Username | The username of the account |
| Password | Encrypted Password |
| Password History | Date of last password change in days since jan 1st 1970 |
| mindays | Minumum number of days a user must keep a password |
| maxdays | Maximum number of days after which the password must be changed |
| warndays | Number of days before password expiration to warn the user |
| inactive | Number of days after password expiration to make account inactive |
| disabled | Number of days after password expiration to disable account |
gshadow
The shadow file for the groups. Used for hashing the passwords for the groups.
| Group Name | admins | The name of the group |
| Password | ! | The group password. An '!' shows there is no password, otherwise its the encrypted password. |
| GroupID | 500 | The group ID, satrts at 500 and will normally match the User ID of the same name. |
| Group Members | michael,dave | The members of the group, if there are none the the user with the same name is the only member |
login.defs
The login.defs file provides the baseline parameters for the shadow password suite.
| Mail_DIR | The directory with locally delivered Emails |
| PASS_MAX_DAYS | After this number of days the password must be changed |
| PASS_MIN_DAYS | Passwords must be kept for this many days |
| PASS_MIN_LEN | Warning given if password set is less than this length |
| PASS_WARN_AGE | Warns this many days before PASS_MAX_DAYS |
| UID_MIN | Minimum User ID |
| UID_MAX | Maximum UserID |
| GID_MIN | Minimum Group ID |
| GID_MAX | Maximum Group ID |
| CREATE_HOME yes | Create home directory by defualt |
| UMASK 077 | The USMASK for file permisions, if not defined else where |
| USERGROUPS_ENAB | Create private user groups |
| ENCRYPT_MATHOD | The default encryption method |