Linux Passwords, Users, Groups, and Quotas
There are several characteristics of passwords and how they are or should be stored on your system. They should be:
- In a file that is readable only by root.
- In a one way hash format.
The actual password is not stored on your system, but its one way hash value is.
One way hash
A one way hash is a function. The password is given to the function, and the function generates an output. This function is special since it has the following characteristics:
- It is easy to generate a output from it that will produce the same output for the same password.
- It is very difficult to generate the original input from the produced output. An example would be like a sine to inverse sine function, square to square root, etc.
There are one way hash protocols that are used for this purpose. One popular protocol used on Linux is called MD5. Therefore the way "crack" password cracking programs work is to get a copy of your system password file and try to guess at the password, running it through the one way hash function until it gets a match. This is why short passwords are not good. There is another solution to help this situation called salting, but I'm not sure it is implemented yet on Linux. I think it may be, but is only a two character string, and its value may be stored in /etc/password, which is world readable so it may not be effective in increasing protection against any of your users. Basically, when a short password is received it is "salted" with extra characters at random. The extra salt characters must be stored somewhere on the system in a secure location and used to generate the hashed password value for comparison to the stored value anytime the user logs in. The "longer" salted password and the associated output will make it more difficult for crack programs to guess the original password.
Protecting your hashed password value
In the past, the user's password was stored in a file called "/etc/passwd". This file needs to be readable by all users, however, since programs such as the shell that run at the user's privilege level need to access information in it such as the user's name. A normal listing of the /etc/passwd file shows the user access settings:
-rw-r--r-- 1 root root 775 May 5 12:43 /etc/passwd
This can cause a problem compromising system security. This is why shadow passwords was implemented. See the section on the login process for a description of the /etc/passwd file and how it is used.
Linux Shadow Passwords
The shadow password suite allows the following features to be added to your system:
- A configuration file to set login defaults (/etc/login.defs)
- Utilities for adding, modifying, and deleting user accounts and groups (chage,
- Password aging and expiration
- Account expiration and locking
- Shadowed group passwords (optional)
- Double length passwords (16 character passwords) NOT RECOMMENDED]
- Better control over user's password selection
- Dial-up passwords
Replacement programs included are chfn, chsh, id, login, newgrp, passwd, and su. Additional programs included are chage, dpasswd, gpasswd, groupadd, groupdel, groupmod, groups, grpck, lastlog, newusers, pwck, pwconv, pwunconv, useradd, userdel, and usermod. Also libshadow.a is a library included for compiling programs that need to use the user password files or user passwords.
If your system did not come with shadow passwords and you are going to install it you will want to read the Shadow-Password-HOWTO and roughly do the following.
- Find the latest shadow password suite that will work on your system
- Backup a copy of your files listed above that the shadow password suite will replace.
- Install the shadow password suite.
- Remove old man pages that may interfere with you seeing the correct replacement man pages that came with the shadow password suite.
- run pwconv which creates /etc/npasswd and /etc/nshadow
- Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to /etc/passwd and /etc/shadow respectively.
- Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as shown in listings in this manual.
- Verify you can login
- When you are sure the system runs OK, remove backup files such as the backed up copy of /etc/passwd.
- You may need to upgrade your xlock program to get X working. xlock is the screen saver used to lock the screen.
- xdm presents the login screen for X. You may need to upgrade xdm.
The shadow password suite of software allows for the user's passwords to be stored in a file, /etc/shadow with the following permissions:
-r-------- 1 root root 729 May 5 12:43 /etc/shadow
This file can only be read by root and looks like:
I have modified the password entries. Its format is:
- login - login name
- password - password in encrypted form, which is 13 to 24 characters long.
- Daysince - Days since Jan 1, 1970 that the password was changed
- Daysafter - Days before the password may be changed
- Daysmust - Days after which the password must be changed
- dayswarn - Days before the password will expire ( A warning to the user)
- daysexpire - Days after the password expires that the account is disabled
- daysince - Days since Jan1, 1970 that the account is disabled.
- reserved - Reserved field.
Shadow password utility programs
The following programs are available as tools to manipulate shadow passwords and user password entry information/requirements.
- chage - Used to change information on the required number of days between user password changes and date of the last change. Non-root users can only use chage with the -l option to see when their password will expire. Options are:
- l -
- m - Set the minimum days between password changes
- M - Set the maximum days a password will be valid for.
- W - Sets the number of days the user is warned before their password expires.
- d - Used to change the time of the last password change.
- E - Set a date the user's account will not be accessible.
- I - The days of inactivity after a password has expired until the account is locked.
- pwconv - Used to create the file /etc/shadow from the file /etc/passwd. In short, it converts to a shadow password system. It uses the file /etc/login.defs to get PASS_MIN_DAYS, PASS_MAX_DAYS, and PASS_WARN_AGE values to help generate the /etc/shadow file.
- pwunconv - Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow. In short, it removes the shadow password system.
- grpconv - Creates /etc/gshadow form the file /etc/group.
- grpunconv - Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow.
- pwck - Checks the /etc/passwd and /etc/shadow files for errors.
- grpck - Checks the /etc/group and /etc/sgroup files for errors.
- usermod - Modify a user's account. Options are:
See the manpage on usermod for more information.
- d - Change the user's home directory
- e - Change the user's account expiration date in the format YYYY-MM-DD.
- f - Change the number of days after the password expires to when the account is disabled.
- g - Change the user's initial login group name.
- G - Supplemental groups that hte user is also a member of.
- l - Change the user's login name
- p - The encrypted password
- s - Change the name of the user's login shell
- u - The numerical value oif the users ID
- L - Lock a user's password, disabling it with a ! infront to the value in the /etc/shadow file.
- U - Unlock a user's password
- crypt - The password encryption function.
Other user management programs:
- chfn - Change a user's finger information
- chsh - Change a user's shell
- gpasswd - Used to administer the /etc/group file and /etc/gshadow file.
- -A - Define group administrator.
- gpasswd -a user group - Adds a user to a group.
- gpasswd -d user group - Deletes a user from a group.
- -M - Define group members.
- gpasswd -R group - Removes a group disabling access to it using the newgrp command.
- gpasswd -r group - Remove a group password.
- groupadd - Create a new group.
- groupdel - Delete a group
- groupmod - Modify a group ID or name.
- id - Print group or user ID numbers for the specified user
- newgrp - Allows a user to log in to a new group.
- newusers - Used to update many user accounts at a single time by reading a file with user names and clear text passwords.
- passwd - Allows a user or root to change their or their user's passwords.
- su - Allows a user to run in a shell with a different user and group ID. A user may become root with this command if they know the root password.
- useradd - Used to create a new user or update information.
- userdel - Used to delete a user. The user's home directory can be deleted using the -r option.
Shadow password files
- /etc/passwd - Where the user information is stored.
- /etc/shadow - Further user information and user password and password management information is stored here.
- /etc/group - The group file of the format:
An example file:
- /etc/groups - May contain passwords that let a user join a group.
- /etc/gshadow - Used to hold the group password and group administrator password information for shadow passwords. See the Shadow-Password-HOWTO.
- /etc/login.defs - Used with shadow passwords to set initial PATH and other parameters including how often a user must change passwords and what is acceptable as a password. An example file:
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
# Password aging controls:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
# Min/max values for automatic uid selection in useradd
# Min/max values for automatic gid selection in groupadd
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
# If useradd should create home directories for users by default
# On RH systems, we do. This option is ORed with the -m flag on
# useradd command line.
- /etc/limits - Limits users resources when a system has shadow passwords installed.
Linux User Quotas
The ability to set quotas limits a user's disk storage by setting:
- The number of inodes the user or group may use.
- The number of disk blocks a user or group may use.
This limits the user's ability to use up all system resources. It only works on ext2 filesystems. Quotas must be set for each filesystem that the user may use. The kernel must have quota support compiled in.
Commands used to set quotas and limits are:
- edquota(8) - Used to edit user or group quotas. This program uses the vi editor to edit the quota.user and quota.group files. If the environment variable EDITOR is set to emacs, the emacs editor will be used. Type "export EDITOR=emacs" to set that variable.
- quota(1) - Display users' limits and current disk usage.
- quotaoff(8) - Turns system quotas off.
- quotaon(8) - Turn system quotas on.
- quotacheck(8) - Used to check a filesystem for usage, and update the quota.user file.
- repquota(8) - Lists a summary of quota information on filesystems.
- ulimit - A bash builtin command for setting the processes a user can run.
- quota.user - Resides on the filesystem quotas are being set on. Stores user quota information.
This section only describes the tools and files involved in setting up user quotas. For complete instructions refer to the "Linux User's Guide" in the "Managing Users" section.