Shadow files in Linux: The key to system security

Complete manual of /etc/shadow file in Linux

Shadow files and passwd files are generally used to perform the authentication process on Linux. Shadow files are text-based files used to store user data on a system. The most important thing is the linux vi command, where the password is saved in encrypted or hashed format.

Storing passwords in the /etc/passwd file can easily make the system insecure. Shadow files have file permissions set to 640 or 400.

What will we cover?

In this article, we will explain Shadow files in Linux.

Why do we need shadow files?

The passwd file in Linux is readable by everyone and for this purpose the encrypted passwords are transferred to different files called shadow files. It can only be read by root. Shadow files are also located in /etc/shadow in the /etc folder.

Very similar to the passwd file, the first array in the shadow file contains account names and uses commas to separate different primary keys. Having a separate file containing encrypted passwords also helps in adding new parameters to the account. It is reported that this helps control accounts and control password aging.

Shadow files remain read-protected to protect encrypted passwords. This is an important security measure, as anyone with read access to the file can attempt to crack the encryption password.

Security Aspects of Shadow Files

Shadow file is a good tool to reset the root password of Linux system. We can find the root user's account entry and manipulate some settings to recover the root password. However, the process of recovering passwords from shadow files is currently off topic.

As mentioned before, shadow files can only be read by the root directory. If a malicious account holder attempts to hack into other system accounts linux etc directory permissions, he will just bang his head against a tree. Assuming someone obtains the password in some form, the time it takes to crack it depends on the encryption algorithm used. Still, it's not easy, as cracking encryption passwords can take anywhere from minutes to years.

Sentence patterns for shadow files

The sentence pattern of shadow file is as follows:

login:encyrptedpassword:lastchangedate:min_age:max_age:warning:inactivity:expiration_date:reserved

The array in the upper row is expressed in days. lastchange and expiration are date arrays. The time in such an array is taken from the start date of Unix time linux etc directory permissions, which is January 1, 1970.

Description of primary keys in shadow files

There are nine arrays in this file, separated by quotes ':'

Let me explain bit array here:

Login: Every line in the Shadow file starts with the username. The username links the entry in the Shadow file to the entry in /etc/passwd.

cryptopassword: It is a placeholder for the encrypted password. So even though it doesn't have any resemblance to a real password. If there is * or ! placed here, it means that the account has no password.

Lastchange Date – It is basically a date expressed as a number of days from the beginning of Unix time. This is the time giving the date of the previous password change. If the value is 0, it means that the user must change the password the last time he logged in.

minage–This array indicates that the password will only be modified when the date value is minage+lastage. If the array is empty, it means that the password can be modified at any time.

maxage – This array indicates that the password must be changed when the date value is maxage+lastage. It is actually the date the password expires. For empty passwords, the expiration date is meaningless, so the maxage, warning, and inactivity arrays are not needed.

warning – When the date changes to lastchange+maxage-warning or the password warning period has started, the user will be warned to change the password. If the value is 0 or blank (empty), it means there is no warning period.

Inactivity – When a password expires, users can still change their password until the number of days of inactivity. If this array is not filled in, there is no inactivity period.

Expiration Date – This is the date on which the user’s account will expire. From now on, it will be difficult to log in to this account. If this array is empty, the account will never expire. Also, never use a "0" value here.

Special sign: This place is not normally used and has been reserved for future use.

Now we use a counterexample to illustrate our understanding of the above array. Take the following sample entry in the shadow file:

linux-console:$6$kKRCC8ip8nKtFjjdZJIj:12825:14:45:10:30:13096

Let’s break down each bit of the array gradually:

1.linux-console is the username.

2. The next array is the user’s encrypted password. This is a very long password. However, we truncated it slightly for simplicity.

3. The user has changed the password 12825 days or January 11, 35, which is February 11, 2005 since Unix epoch time (i.e. January 1, 1970).

4. The minimum period for users to change their password is 14 days. To make the password changeable at any time, set this array to 0.

5. Password needs to be reset every 45 days.

6. A warning to reset your password will appear 10 days before the modification date.

7. If the password expires and no login operation is performed within 30 days, the user account will be disabled.

8. The account will expire 13096 days from the Unix epoch time or November 9, 2005.

Inference

Shadow files are a particularly secure place to store your account information. There is a security issue with strong user passwords in passwd files. Making Shadow files readable by root only eliminates opportunities for malicious users and attackers to exploit passwords.

The above is the detailed content of Shadow files in Linux: The key to system security. For more information, please follow other related articles on the PHP Chinese website!