Passwd File
In linux system, we can view list of users by looking at the /etc/passwd file. this show list of users in the following format.
jun@cserver:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin ....... jun:x:1000:1000:jun:/home/jun:/bin/bash lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
This file use columns seperated format, where the first column indicate the user name, followed by the user password, and then the user id, user group id, user id info, home folder and command shell.
jun:x:1000:1000:jun:/home/jun:/bin/bash
From the example above the value are.
- user_name: jun
- user_password: x . indicate encrypted shadow password were used.
- user_id : 1000 . we can run id command to verify.
- user_group_id: 1000
- user_id_info : jun, just the info about our user such as fullname or GECOS information.
- home_folder : /home/jun
- command_shell: /bin/bash
In traditional unix system, where shadow suite aren't used, we can see encoded user's password stored in this file instead of x. This is a huge security nowadays because this /etc/passwd file is accessible by anyone using the operating system.
It was not a big deal back then because the encryption used was consider strong because computer back then are not as fast to brute-force guessing the password.
Shadow File
Nowadays, the actual encrypted password are stored in the /etc/shadow file where it can only be read by root. Looking into the shadow file we can see the encrypted passwod field after the username column.
jun@cserver:~$ cat /etc/shadow cat: /etc/shadow: Permission denied jun@cserver:~$ sudo cat /etc/shadow [sudo] password for jun: ... jun:$6$zjGHnUx3xdvygQFF$f1SCFlSuvxuveg8IjBauLaeWNaVoxIxcHpIhZHzfErnrPcTYDmJCNKZFu4xp1w5LmqOt6QmmOXLDgSHs2IX9X/:19155:0:99999:7::: lxd:!:19155::::::
- Sometimes, if an account is being locked, the password column will have two exclamation sign !! instead of the encrypted password.
In this example, our hashed password look something like this,
$6$zjGHnUx3xdvygQFF$f1SCFlSuvxuveg8IjBauLaeWNaVoxIxcHpIhZHzfErnrPcTYDmJCNKZFu4xp1w5LmqOt6QmmOXLDgSHs2IX9X/
Noticed that the beginning of the hash there is a $ symbol enclosing the number.
$6$.....
The number between the dollar sign $ indicate the hash algorithm type used to hash the password.
Linux Hash Types.
Linux supports multiple hashing algorithms. The algorihm are prefixed by number and sometimes a combination of number and letter.
| Prefix | Hash Type | |--- |--- | | 1 | MD5 | | 2a | Blowfish | | 2y | Blowfish | | 5 | SHA-256 | | 6 | SHA-512 |
Based on the previous example, we know that our Linux system use $6$ which is the SHA-512 algorithm.
we can change this algorithm using authconfig command or making change to /etc/pamd.d/password-auth for RHEL base system.
For ubuntu based system we can edit the /etc/pam.d/common-password file.
Looking at /etc/pam.d/common-password file we can change the algorithm by change the pm_unix.so obscure sha512 to pm_unix.so obscure sha256 instead for example. Tho SHA-512 is better than SHA-256.
Open the file using vim We will see this.
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) password [success=1 default=ignore] pam_unix.so obscure sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config
then we can search using /sha512, and then change the value and save.
# here are the per-package modules (the "Primary" block) # password [success=1 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_unix.so obscure sha256
After making change to this file, if we create a new user, the new hashing algorithm will be used instead.
jun@cserver:~$ sudo useradd -m test256User jun@cserver:~$ sudo passwd test256User New password: Retype new password: passwd: password updated successfully
When we look at the newly created user, in our shadow file we can see that $5$ is now being used.
jun@cserver:~$ sudo cat /etc/shadow .... test256User:$5$xXPHlf/4.D28yH/s$NYMP44ShERd5xgjho3i.Snd4Fa3aU601u41rwPn2gm6:19155:0:99999:7:::
Noted that, only new user are using the new hash algorithm.
To make other user use the new algorithm, we can ask the user to change their password. We can do this using chage command to set date of last password change to 0. This will prompt the user asking them to change password during their next login.
In the example below, we ask user, jun to change his password
root@cserver:~# chage -d 0 jun
alternatively we can use the passwd command and set it to expire
root@cserver:~# passwd --expire jun