248-251.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Special Edition Using Linux, Fourth Edition:Improving System Security</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789717468//-->
<!--TITLE=Special Edition Using Linux, Fourth Edition//-->
<!--AUTHOR=Jack Tackett//-->
<!--AUTHOR=Jr.//-->
<!--AUTHOR=Steve Burnett//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=12//-->
<!--PAGES=248-251//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="246-248.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="251-251.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading27"></A><FONT COLOR="#000077">Shadow Passwords: What Good Are They?</FONT></H3>
<P>On a Linux system without the Shadow Suite installed, user information (including passwords) is stored in the /etc/passwd file. The password is stored in an encoded format: Although the password looks like gibberish to a human, it is simply encoded with the UNIX <TT>crypt</TT> command, with the text set to [null] and the password used as the key.</P>
<P>It is difficult but possible to take a given encoded password and re-create the original password. However, because people may get lazy sometimes, on any system with more than a few users, some of the passwords are likely to be common words or simple variations. It&#146;s quite possible, and within the means of many, to encrypt a dictionary list and compare it to the password list in /etc/passwd. Other attacks are possible and used often, but this brute force approach is simple and easy to do. In addition to passwords, the /etc/passwd file also contains information such as user IDs and group IDs that are read by many system programs, so the /etc/passwd file must remain world readable.</P>
<P>Shadow passwording moves the passwords to another file, usually /etc/shadow, which is set to be readable only by root. Moving the passwords to the /etc/shadow file prevents an attacker from having access to the encoded passwords with which to perform a dictionary attack.</P>
<P>The Shadow Suite is included with most of the standard distributions of Linux.</P>
<P>However, in some cases such as the following, installing the Shadow Suite would NOT be a good idea:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;The system does not contain user accounts.
<DD><B>&#149;</B>&nbsp;&nbsp;The system is running on a LAN and uses NIS (Network Information Services) to get or supply usernames and passwords to other machines on the network.
<DD><B>&#149;</B>&nbsp;&nbsp;The system is used by terminal servers to verify users via NFS (Network File System), NIS, or some other method.
<DD><B>&#149;</B>&nbsp;&nbsp;The system runs other software that validates users, AND there is no shadow version available, AND you don&#146;t have the source code.
</DL>
<H4 ALIGN="LEFT"><A NAME="Heading28"></A><FONT COLOR="#000077">The /etc/password and /etc/shadow Files</FONT></H4>
<P>A non-shadowed /etc/passwd file has the following format:
</P>
<!-- CODE SNIP //-->
<PRE>
username:passwd:UID:GID:full_name:directory:shell
</PRE>
<!-- END CODE SNIP //-->
<P>For example:
</P>
<!-- CODE SNIP //-->
<PRE>
username:Npje044eh3mx8e:507:200:Full Name:/home/username:/bin/csh
</PRE>
<!-- END CODE SNIP //-->
<P>A shadowed /etc/passwd file would instead contain:
</P>
<!-- CODE SNIP //-->
<PRE>
username:x:507:100:Full Name:/home/username:/bin/csh
</PRE>
<!-- END CODE SNIP //-->
<P>The <TT>x</TT> in the second field in this case is now a placeholder for the real passwords stored in the shadow file /etc/shadow. The /etc/shadow file has the following format:</P>
<!-- CODE SNIP //-->
<PRE>
username:passwd:last:may:must:warn:expire:disable:reserved
</PRE>
<!-- END CODE SNIP //-->
<P>Table 12.1 outlines the fields in the /etc/shadow file.
</P>
<TABLE WIDTH="100%"><CAPTION ALIGN=LEFT><B>Table 12.1</B> Fields in an /etc/shadow File Entry
<TR>
<TH WIDTH="20%" ALIGN="LEFT">Field
<TH WIDTH="80%" ALIGN="LEFT">Description
<TR>
<TH COLSPAN="2"><HR>
<TR>
<TD><I><TT>username</TT></I>
<TD>The name used to log in.
<TR>
<TD><I><TT>password</TT></I>
<TD>The encoded password.
<TR>
<TD><I><TT>last</TT></I>
<TD>Days since Jan 1, 1970 that password was last changed.
<TR>
<TD><I><TT>may</TT></I>
<TD>Days before password may be changed.
<TR>
<TD><I><TT>must</TT></I>
<TD>Days after which password must be changed.
<TR>
<TD><I><TT>warn</TT></I>
<TD>Days before password is to expire that user is warned.
<TR>
<TD><I><TT>expire</TT></I>
<TD>Days after password expires that account is disabled.
<TR>
<TD><I><TT>disable</TT></I>
<TD>Days since Jan 1, 1970 that account is disabled.
<TR>
<TD><I><TT>reserved</TT></I>
<TD>A reserved field.
<TR>
<TD COLSPAN="2"><HR>
</TABLE>
<H4 ALIGN="LEFT"><A NAME="Heading29"></A><FONT COLOR="#000077">Adding, Changing, and Deleting Users with Shadowed Passwords</FONT></H4>
<P>The Shadow Suite adds the following command line oriented commands for adding, modifying, and deleting users: <TT>useradd</TT>, <TT>usermod</TT>, and <TT>userdel</TT>.</P>
<DL>
<DT><B><B><I>useradd</I></B>
</B>
<DD>The <TT><I>useradd</I></TT> command is used to add users to the system. You also invoke this command to change the default settings.
</DL>

<P>The first thing that you should do is examine the default settings and make changes specific to your system with the following command:
</P>
<!-- CODE SNIP //-->
<PRE>
useradd -D
</PRE>
<!-- END CODE SNIP //-->
<DL>
<DT><B><B><I>usermod</I></B>
</B>
<DD>The <TT>usermod</TT> utility is used to modify the information on a user and is very similar to the <TT>useradd</TT> program.
<DT><B><I>userdel</I>
</B>
<DD><TT>userdel</TT> enables you to delete the user&#146;s account with this command:
</DL>

<!-- CODE SNIP //-->
<PRE>
userdel -r username
</PRE>
<!-- END CODE SNIP //-->
<P>The <TT>-r</TT> deletes all files in the user&#146;s home directory to be removed, along with the home directory itself. A less drastic way to eliminate a user from the system is to use the <TT>passwd</TT> command to lock the user&#146;s account.</P>
<DL>
<DT><B><I>passwd</I>
</B>
<DD>In addition to setting and changing passwords, the root user can use the <TT>passwd</TT> command to perform the following tasks:
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Lock and unlock accounts (with the <TT>-l</TT> and <TT>-u</TT> options)
<DD><B>&#149;</B>&nbsp;&nbsp;Set the maximum number of days that a password remains valid (<TT>-x</TT>)
<DD><B>&#149;</B>&nbsp;&nbsp;Set the minimum days between password changes (<TT>-n</TT>)
<DD><B>&#149;</B>&nbsp;&nbsp;Set the number of days of warning that a password is about to expire (<TT>-w</TT>)
<DD><B>&#149;</B>&nbsp;&nbsp;Set the number of days after the password expires before the account is locked (<TT>-i</TT>)
</DL>
<DT><B><I>pwck</I>
</B>
<DD>The program <TT>pwck</TT> enables you to check on the consistency of the /etc/passwd and /etc/shadow files. It checks each username and verifies that each entry has the following:
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;correct number of fields
<DD><B>&#149;</B>&nbsp;&nbsp;unique user name
<DD><B>&#149;</B>&nbsp;&nbsp;valid user and group identifier
<DD><B>&#149;</B>&nbsp;&nbsp;valid primary group
<DD><B>&#149;</B>&nbsp;&nbsp;valid home directory
<DD><B>&#149;</B>&nbsp;&nbsp;valid login shell
</DL>
</DL>

<P>Finally, <TT>pwck</TT> also warns of any account that has no password.</P>
<BLOCKQUOTE>
<P><FONT SIZE="-1"><HR><B>NOTE:&nbsp;&nbsp;</B>It&#146;s a good idea to run <TT>pwck</TT> after installing the Shadow Suite. It&#146;s also a good idea to run it periodically&#151;perhaps weekly or monthly. If you use the <TT>-r</TT> option, you can use <TT>cron</TT> to run it on a regular basis and have the report mailed to you.<HR></FONT>
</BLOCKQUOTE>
<DL>
<DT><B><B><I>grpck</I></B>
</B>
<DD><TT>grpck</TT> is the consistency checking program for the /etc/group and /etc/gshadow files. It checks for the correct number of fields, unique group names, and a valid list of members and administrators.
</DL>

<P>Again, the <TT>-r</TT> option generates an automated report, so you can use <TT>cron</TT> to trigger this check automatically.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="246-248.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="251-251.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>