< Day Day Up > |
A user gains access to an account by providing a correct login and password. The system maintains passwords in password files, along with login information like the user name and ID. Tools like the passwd command let users change their passwords by modifying these files. /etc/passwd is the file that traditionally held user passwords, though in encrypted form. However, all users are allowed to read the /etc/passwd file, which would have allowed access by users to the encrypted passwords. For better security, password entries are kept in the /etc/shadow file, which is restricted to the root user.
When you add a user, an entry for that user is made in the /etc/passwd file, commonly known as the password file. Each entry takes up one line that has several fields separated by colons. The fields are as follows:
Username Login name of the user
Password Encrypted password for the user's account
User ID Unique number assigned by the system
Group ID Number used to identify the group to which the user belongs
Comment Any user information, such as the user's full name
Home directory The user's home directory
Login shell Shell to run when the user logs in; this is the default shell, usually /bin/bash
Depending on whether or not you are using shadow passwords, the password field (the second field) will be either an x or an encrypted form of the user's password. Red Hat implements shadow passwords by default, so these entries should have an x for their passwords. The following is an example of an /etc/passwd entry. For such entries, you must use the passwd command to create a password. Notice also that user IDs in this particular system start at 500 and increment by one. With Red Hat, the group given is not the generic User, but a group consisting uniquely of that user. For example, the dylan user belongs to a group named Dylan, not to the generic User group.
dylan:x:500:500:Dylan:/home/dylan:/bin/bash chris:x:501:501:Chris:/home/chris:/bin/bash
Tip |
If you turn off shadow password support, entries in your passwd file will display encrypted passwords. Because any user can read the /etc/passwd file, intruders can access and possibly crack the encrypted passwords. |
Tip |
Although it is technically possible to edit entries in the /etc/passwd file directly, it is not recommended. In particular, deleting an entry does not remove any other information, permissions, and data associated with a user, which opens a possible security breach whereby an intruder could take over the deleted user's ID or disk space. |
The /etc/passwd file is a simple text file and is vulnerable to security breaches. If anyone gains access to the /etc/password file, they might be able to decipher or crack the encrypted passwords through a brute-force crack. The shadow suite of applications implements a greater level of security. These include versions of useradd, groupadd, and their corresponding update and delete programs. Most other user configuration tools, including redhat-config- users, support shadow security measures. With shadow security, passwords are no longer kept in the /etc/password file. Instead, passwords are kept in a separate file called /etc/shadow. Access is restricted to the root user.
The following example shows the /etc/shadow entries for two users, listing their encrypted passwords. The entry for chris has an x in its Password field, indicating that a password has not yet been created for this user:
dylan:YOTPd3Pyy9hAc:500:500:Dylan:/home/dylan:/bin/bash chris:x:501:501:Chris:/home/chris:/bin/bash
A corresponding password file, called /etc/gshadow, is also maintained for groups that require passwords. Red Hat supports shadow passwords by default. You can manually specify whether you want to use shadow passwords with the Red Hat authentication tool.
To change any particular field for a given user, you should use the user management tools provided, such as the passwd command, redhat-config-users, adduser, usermod, useradd, and chage, discussed in this chapter. The passwd command lets you change the password only. Other tools, such as redhat-config-users, not only make entries in the /etc/passwd file but also create the home directory for the user and install initialization files in the user's home directory.
These tools also let you control a user's access to their accounts. You can set expiration dates for users or lock them out of their accounts. Users locked out of their accounts will have their password in the /etc/shadow file prefixed by the invalid string, !!. Unlocking the account removes this prefix.
Tip |
With the Red Hat authentication tool (authconfig-gtk, see Chapter 4), you can enable and configure various authentication tools such as NIS and LDAP servers, as well as enabling shadow passwords, LDAP, and Kerberos authentication (accessible as Authentication on the System Settings menu and windows). |
< Day Day Up > |
This HTML Help has been published using the chm2web software. |