user passwords

(Written by Paul Cobbaut, https://github.com/paulcobbaut/, with contributions by: Alex M. Schapelle, https://github.com/zero-pytagoras/)

This chapter will tell you more about passwords for local users.

Three methods for setting passwords are explained; using the passwd command, using openssel passwd, and using the crypt function in a C program.

The chapter will also discuss password settings and disabling, suspending or locking accounts.

passwd

Passwords of users can be set with the passwd command. Users will have to provide their old password before twice entering the new one.

[tania@linux ~]$ passwd
Changing password for user tania.
Changing password for tania.
(current) UNIX password:
New password:
BAD PASSWORD: The password is shorter than 8 characters
New password:
BAD PASSWORD: The password is a palindrome
New password:
BAD PASSWORD: The password is too similar to the old one
passwd: Have exhausted maximum number of retries for service

As you can see, the passwd tool will do some basic verification to prevent users from using too simple passwords. The root user does not have to follow these rules (there will be a warning though). The root user also does not have to provide the old password before entering the new password twice.

root@linux:~# passwd tania
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

shadow file

User passwords are encrypted and kept in /etc/shadow. The /etc/shadow file is read only and can only be read by root. We will see in the file permissions section how it is possible for users to change their password. For now, you will have to know that users can change their password with the /usr/bin/passwd command.

[root@linux ~]# tail -4 /etc/shadow
paul:$6$ikp2Xta5BT.Tml.p$2TZjNnOYNNQKpwLJqoGJbVsZG5/Fti8ovBRd.VzRbiDSl7TEq\
IaSMH.TeBKnTS/SjlMruW8qffC0JNORW.BTW1:16338:0:99999:7:::
tania:$6$8Z/zovxj$9qvoqT8i9KIrmN.k4EQwAF5ryz5yzNwEvYjAa9L5XVXQu.z4DlpvMREH\
eQpQzvRnqFdKkVj17H5ST.c79HDZw0:16356:0:99999:7:::
laura:$6$glDuTY5e$/NYYWLxfHgZFWeoujaXSMcR.Mz.lGOxtcxFocFVJNb98nbTPhWFXfKWG\
SyYh1WCv6763Wq54.w24Yr3uAZBOm/:16356:0:99999:7:::
valentina:$6$jrZa6PVI$1uQgqR6En9mZB6mKJ3LXRB4CnFko6LRhbh.v4iqUk9MVreui1lv7\
GxHOUDSKA0N55ZRNhGHa6T2ouFnVno/0o1:16356:0:99999:7:::
[root@linux ~]#

The /etc/shadow file contains nine colon separated columns. The nine fields contain (from left to right) the user name, the encrypted password (note that only inge and laura have an encrypted password), the day the password was last changed (day 1 is January 1, 1970), number of days the password must be left unchanged, password expiry day, warning number of days before password expiry, number of days after expiry before disabling the account, and the day the account was disabled (again, since 1970). The last field has no meaning yet.

All the passwords in the screenshot above are hashes of hunter2.

encryption with passwd

Passwords are stored in an encrypted format. This encryption is done by the crypt function. The easiest (and recommended) way to add a user with a password to the system is to add the user with the useradd -m user command, and then set the user's password with passwd.

[root@RHEL4 ~]# useradd -m xavier
[root@RHEL4 ~]# passwd xavier
Changing password for user xavier.
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
[root@RHEL4 ~]#

encryption with openssl

Another way to create users with a password is to use the -p option of useradd, but that option requires an encrypted password. You can generate this encrypted password with the openssl passwd command.

The openssl passwd command will generate several distinct hashes for the same password, for this it uses a salt.

student@linux:~$ openssl passwd hunter2
86jcUNlnGDFpY
student@linux:~$ openssl passwd hunter2
Yj7mDO9OAnvq6
student@linux:~$ openssl passwd hunter2
YqDcJeGoDbzKA
student@linux:~$

This salt can be chosen and is visible as the first two characters of the hash.

student@linux:~$ openssl passwd -salt 42 hunter2
42ZrbtP1Ze8G.
student@linux:~$ openssl passwd -salt 42 hunter2
42ZrbtP1Ze8G.
student@linux:~$ openssl passwd -salt 42 hunter2
42ZrbtP1Ze8G.
student@linux:~$

This example shows how to create a user with password.

root@linux:~# useradd -m -p $(openssl passwd hunter2) mohamed

Note that this command puts the password in your command history!

encryption with crypt

A third option is to create your own C program using the crypt function, and compile this into a command.

student@linux:~$ cat MyCrypt.c
#include <stdio.h>
#define __USE_XOPEN
#include <unistd.h>

int main(int argc, char** argv)
{
 if(argc==3)
   {
       printf("%s\n", crypt(argv[1],argv[2]));
   }
   else
   {
       printf("Usage: MyCrypt $password $salt\n" );
   }
  return 0;
}

This little program can be compiled with gcc like this.

student@linux:~$ gcc MyCrypt.c -o MyCrypt -lcrypt

To use it, we need to give two parameters to MyCrypt. The first is the unencrypted password, the second is the salt. The salt is used to perturb the encryption algorithm in one of 4096 different ways. This variation prevents two users with the same password from having the same entry in /etc/shadow.

student@linux:~$ ./MyCrypt hunter2 42
42ZrbtP1Ze8G.
student@linux:~$ ./MyCrypt hunter2 33
33d6taYSiEUXI

Did you notice that the first two characters of the password are the salt?

The standard output of the crypt function is using the DES algorithm which is old and can be cracked in minutes. A better method is to use md5 passwords which can be recognized by a salt starting with $1$.

student@linux:~$ ./MyCrypt hunter2 '$1$42'
$1$42$7l6Y3xT5282XmZrtDOF9f0
student@linux:~$ ./MyCrypt hunter2 '$6$42'
$6$42$OqFFAVnI3gTSYG0yI9TZWX9cpyQzwIop7HwpG1LLEsNBiMr4w6OvLX1KDa./UpwXfrFk1i...

The md5 salt can be up to eight characters long. The salt is displayed in /etc/shadow between the second and third $, so never use the password as the salt!

student@linux:~$ ./MyCrypt hunter2 '$1$hunter2'
$1$hunter2$YVxrxDmidq7Xf8Gdt6qM2.

/etc/login.defs

The /etc/login.defs file contains some default settings for user passwords like password aging and length settings. (You will also find the numerical limits of user ids and group ids and whether or not a home directory should be created by default).

root@linux:~# grep ^PASS /etc/login.defs
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

Debian also has this file.

root@linux:~# grep PASS /etc/login.defs
#  PASS_MAX_DAYS   Maximum number of days a password may be used.
#  PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#  PASS_WARN_AGE   Number of days warning given before a password expires.
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#PASS_MIN_LEN
#PASS_MAX_LEN
# NO_PASSWORD_CONSOLE
root@linux:~#

chage

The chage command can be used to set an expiration date for a user account (-E), set a minimum (-m) and maximum (-M) password age, a password expiration date, and set the number of warning days before the password expiration date. Much of this functionality is also available from the passwd command. The -l option of chage will list these settings for a user.

root@linux:~# chage -l paul
Last password change                                    : Mar 27, 2014
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
root@linux:~#

disabling a password

Passwords in /etc/shadow cannot begin with an exclamation mark. When the second field in /etc/passwd starts with an exclamation mark, then the password can not be used.

Using this feature is often called locking, disabling, or suspending a user account. Besides vi (or vipw) you can also accomplish this with usermod.

The first command in the next screenshot will show the hashed password of laura in /etc/shadow. The next command disables the password of laura, making it impossible for Laura to authenticate using this password.

root@linux:~# grep laura /etc/shadow | cut -c1-70
laura:$6$JYj4JZqp$stwwWACp3OtE1R2aZuE87j.nbW.puDkNUYVk7mCHfCVMa3CoDUJV
root@linux:~# usermod -L laura

As you can see below, the password hash is simply preceded with an exclamation mark.

root@linux:~# grep laura /etc/shadow | cut -c1-70
laura:!$6$JYj4JZqp$stwwWACp3OtE1R2aZuE87j.nbW.puDkNUYVk7mCHfCVMa3CoDUJ
root@linux:~#

The root user (and users with sudo rights on su) still will be able to su into the laura account (because the password is not needed here). Also note that laura will still be able to login if she has set up passwordless ssh!

root@linux:~# su - laura
laura@linux:~$

You can unlock the account again with usermod -U.

root@linux:~# usermod -U laura
root@linux:~# grep laura /etc/shadow | cut -c1-70
laura:$6$JYj4JZqp$stwwWACp3OtE1R2aZuE87j.nbW.puDkNUYVk7mCHfCVMa3CoDUJV

Watch out for tiny differences in the command line options of passwd, usermod, and useradd on different Linux distributions. Verify the local files when using features like "disabling, suspending, or locking" on user accounts and their passwords.

editing local files

If you still want to manually edit the /etc/passwd or /etc/shadow, after knowing these commands for password management, then use vipw instead of vi(m) directly. The vipw tool will do proper locking of the file.

[root@linux ~]# vipw /etc/passwd
vipw: the password file is busy (/etc/ptmp present)

practice: user passwords

1. Set the password for serena to hunter2.

2. Also set a password for venus and then lock the venus user account with usermod. Verify the locking in /etc/shadow before and after you lock it.

3. Use passwd -d to disable the serena password. Verify the serena line in /etc/shadow before and after disabling.

4. What is the difference between locking a user account and disabling a user account's password like we just did with usermod -L and passwd -d?

5. Try changing the password of serena to serena as serena.

6. Make sure serena has to change her password in 10 days.

7. Make sure every new user needs to change their password every 10 days.

8. Take a backup as root of /etc/shadow. Use vi to copy an encrypted hunter2 hash from venus to serena. Can serena now log on with hunter2 as a password ?

9. Why use vipw instead of vi ? What could be the problem when using vi or vim ?

10. Use chsh to list all shells (only works on RHEL/CentOS/Fedora), and compare to cat /etc/shells.

11. Which useradd option allows you to name a home directory ?

12. How can you see whether the password of user serena is locked or unlocked ? Give a solution with grep and a solution with passwd.

solution: user passwords

1. Set the password for serena to hunter2.

   root@linux:~# passwd serena
   Enter new UNIX password:
   Retype new UNIX password:
   passwd: password updated successfully
   

2. Also set a password for venus and then lock the venus user account with usermod. Verify the locking in /etc/shadow before and after you lock it.

   root@linux:~# passwd venus
   Enter new UNIX password:
   Retype new UNIX password:
   passwd: password updated successfully
   root@linux:~# grep venus /etc/shadow | cut -c1-70
   venus:$6$gswzXICW$uSnKFV1kFKZmTPaMVS4AvNA/KO27OxN0v5LHdV9ed0gTyXrjUeM/
   root@linux:~# usermod -L venus
   root@linux:~# grep venus /etc/shadow | cut -c1-70
   venus:!$6$gswzXICW$uSnKFV1kFKZmTPaMVS4AvNA/KO27OxN0v5LHdV9ed0gTyXrjUeM
   

   Note that usermod -L precedes the password hash with an exclamation mark (!).

3. Use passwd -d to disable the serena password. Verify the serena line in /etc/shadow before and after disabling.

   root@linux:~# grep serena /etc/shadow | cut -c1-70
   serena:$6$Es/omrPE$F2Ypu8kpLrfKdW0v/UIwA5jrYyBD2nwZ/dt.i/IypRgiPZSdB/B
   root@linux:~# passwd -d serena
   passwd: password expiry information changed.
   root@linux:~# grep serena /etc/shadow
   serena::16358:0:99999:7:::
   root@linux:~#
   

4. What is the difference between locking a user account and disabling a user account's password like we just did with usermod -L and passwd -d?

   Locking will prevent the user from logging on to the system with his password by putting a ! in front of the password in /etc/shadow.

   Disabling with passwd will erase the password from /etc/shadow.

5. Try changing the password of serena to serena as serena.

   log on as serena, then execute: passwd serena... it should fail!

6. Make sure serena has to change her password in 10 days.

   chage -M 10 serena
   

7. Make sure every new user needs to change their password every 10 days.

   vi /etc/login.defs (and change PASS_MAX_DAYS to 10)
   

8. Take a backup as root of /etc/shadow. Use vi to copy an encrypted hunter2 hash from venus to serena. Can serena now log on with hunter2 as a password ?

   Yes.

9. Why use vipw instead of vi ? What could be the problem when using vi or vim ?

   vipw will give a warning when someone else is already using that file (with vipw).

10. Use chsh to list all shells (only works on RHEL/CentOS/Fedora), and compare to cat /etc/shells.

    chsh -l
    cat /etc/shells
    

11. Which useradd option allows you to name a home directory ?

    -d

12. How can you see whether the password of user serena is locked or unlocked ? Give a solution with grep and a solution with passwd.

    grep serena /etc/shadow
    
    passwd -S serena