/etc/passwd, /etc/shadow, and Password Aging

/etc/passwd, /etc/shadow, and Password Aging One of the first things to do when troubleshooting a login failure is to confirm that the account exists. The finger command shows user information, but because /etc/passwd has read permissions for all, we prefer just to grep for the user name. $ grep bob /etc/passwd bob:x:515:515::/home/bob:/bin/bash We are only confirming that there is an /etc/passwd line for this user to prove that the account hasn't been removed. /etc/passwd and /etc/shadow Account information is stored in two files: /etc/passwd and /etc/shadow. All users can view the /etc/passwd file: $ ls -l /etc/passwd -rw-r--r-- 1 root root 2423 Jan 21 11:17 /etc/passwd The /etc/passwd file has seven fields, as shown in Table 14-1. Table 14-1. /etc/passwd Fields Field # Description 1 User name 2 Password 3 User ID 4 Group ID 5 Comment 6 Home directory 7 Login shell The /etc/passwd file is completely explained in the passwd(5) man page. We are interested in the password field for the purposes of this chapter. The password field does not contain the encrypted password. It should have an "x" instead. The password field did contain the password when UNIX was first released. As computers became more powerful, though, viewable encrypted passwords left systems vulnerable to brute force attacks. Thus, the password was moved to a new file that can only be read by root. This file is /etc/shadow. In Linux, the /etc/shadow file is delivered in the shadow-utils package. $ ls -l /etc/shadow -r-------- 1 root root 1974 Jan 22 13:30 /etc/shadow Let's look at the /etc/shadow entry for an account. The grep command is an easy way to view /etc/shadow. $ grep bob /etc/shadow grep: /etc/shadow: Permission denied Right. We must switch to root. #grep bob /etc/shadow bob:$1$lIDEzDIs$mVFLa6ZVsSolJS8yPc3/o.:12800:0:99999:7::: The /etc/shadow file contains password aging information as well as the password. The fields separated by ":" are explained in Table 14-2. Table 14-2. /etc/shadow Fields Field # Description 1 User name 2 Encrypted password 3 Date the password was last changed 4 Minimum age of password in days before it can be changed (0 by default) 5 Maximum age of password in days after which it must be changed (99999 by default) 6 The number of days before password expiration when user is warned to change the password (7 by default) 7 The number of days after password expiration when account login is disabled 8 The date when account login is disabled 9 Not used The /etc/shadow date fields are in days since January 1st, 1970. The password expiration date is the result of adding the date the password was last changed field and the maximum age of password field. See the shadow(5) man page for more details. chage, passwd, and usermod The chage, passwd, and usermod commands can be used to modify password aging parameters. The usermod command duplicates some but not all the password aging features of chage. The chage -l username syntax is a good way to view the password aging settings for accounts. The following example shows the default password aging information for an account: #chage -l bob Minimum: 0 field 4 /etc/shadow Maximum: 99999 field 5 /etc/shadow Warning: 7 field 6 /etc/shadow Inactive: -1 field 7 /etc/shadow Last Change: Jan 17, 2005 field 3 /etc/shadow Password Expires: Never field 3 + field 5 Password Inactive: Never field 3 + field 5 + field 7 Account Expires: Never field 8 /etc/shadow Let's look at the password aging example. A user tries to log in on January 19, 2005 using ssh, but the term window is disconnected immediately after entering the password: login as: dbadmin3 Sent username "dbadmin3" TIS authentication refused. lori@sawnee.somecomp.com's password: The login attempt doesn't identify the problem. The chage -l username command shows that the account expired yesterday, preventing logins. #chage -l dbadmin3 Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Jan 17, 2005 Password Expires: Never Password Inactive: Never Account Expires: Jan 18, 2005 The Password Inactive and Account Expires dates prevent a user from logging in. When the Password Expires date is reached, the user should be forced to change his or her password during login. However, ssh will just fail the login attempt. Table 14-3 shows the more useful chage syntaxes. Table 14-3. chage Syntax Syntax Description chage -l <username> Display password aging values chage -m ## <username> Change minimum password lifetime chage -M ## <username> Change maximum password lifetime chage -I ## <username> Number of days after password expiration when account login is disabled chage -E <date> <username> Set account expiration date chage -W ## <username> Set number of days before password expiration to warn user that password will expire chage -d <date> <username> Set last password change date Dates are in YYYY-MM-DD format, 2005-01-19 for example. The ## in the table indicates a number of days parameter. Here is an example showing a change to the maximum password lifetime. Password lifetime is field 5 of /etc/shadow. #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:99999:7::: We can use grep to see this information, but chage is nicer. #chage -l dbadmin Minimum: 0 Maximum: 99999 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Never Password Inactive: Never Account Expires: Never Now let's set the maximum password lifetime using chage. #chage -M 30 dbadmin We can use grep to see that the password aging field is now 30. #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::: Once again, chage -l username offers nicer output. # chage -l dbadmin Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Mar 29, 2005 Password Inactive: Never Account Expires: Never A -1 for either a date or days field clears the field from /etc/shadow. Here is an example demonstrating how to reset the Account Expires date, which is field 8. Once again, we look at the password aging information with both grep and chage so that we can clearly see which field is being changed. #grep lori /etc/shadow lori:$1$cQG1pnOz$UHRmboguvqvOyJv5wAbTr/:12805:0:30:7::12847: chage -l lori Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Jan 22, 2005 Password Expires: Feb 21, 2005 Password Inactive: Never Account Expires: Mar 05, 2005 Here chage is used to clear the account expiration date. #chage -E -1 lori #chage -l lori Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Jan 22, 2005 Password Expires: Feb 21, 2005 Password Inactive: Never Account Expires: Never Field 8 is empty. #grep lori /etc/shadow lori:$1$cQG1pnOz$UHRmboguvqvOyJv5wAbTr/:12805:0:30:7::: The usermod command can set the account expiration date and the number of days after the password expires when the account is locked. The syntax is shown for each in Table 14-4. Table 14-4. usermod Password Aging Syntax Syntax Description usermod -e <date> <username> Set account expiration date; same as chage -E usermod -f ## <username> Set number of days of inactivity before account login is disabled; same as chage -I The following example is similar to the previous chage example. This time, usermod is used to change the account expiration date, which is field 8 in /etc/shadow. #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::: chage -l dbadmin Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Mar 29, 2005 Password Inactive: Never Account Expires: Never #usermod -e 2006-01-03 dbadmin #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::13151: #chage -l dbadmin Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Mar 29, 2005 Password Inactive: Never Account Expires: Jan 03, 2006 Let's remove the Account Expires date: #chage -E -1 dbadmin #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::: #chage -l dbadmin Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Mar 29, 2005 Password Inactive: Never Account Expires: Never The passwd command can change the password aging fields too. The passwd aging options are shown in Table 14-5. Table 14-5. passwd Password Aging Syntax Description passwd -n ## <username> Minimum password lifetime; same as chage -m passwd -x ## <username> Maximum password lifetime; same as chage -M passwd -w ## <username> Set number of days before password expiration to warn user that password will expire; same as chage -W passwd -i ## <username> Number of days after password expiration when account login is disabled; same as chage -I The ## in the table indicates a number of days parameter. A -1 for the ## (days field) will clear the field from /etc/shadow like chage. The usermod and passwd commands can also disable an account. The different syntaxes are shown in Table 14-6. Table 14-6. Locking Accounts Syntax Description usermod -L <username> Lock the account usermod -U <username> Unlock the account passwd -l <username> Lock the account passwd -u <username> Unlock the account A ! in the password field of /etc/shadow indicates a locked account. Notice the change in the password field after usermod is used to lock an account. #grep dbadmin /etc/shadow dbadmin:$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::: #usermod -L dbadmin grep dbadmin /etc/shadow dbadmin:!$1$TuCLLDqz$Fc1YnK309QXT6TJMOagdZ.:12841:0:30:7::: The chage -l output doesn't indicate that the account is locked. #chage -l dbadmin Minimum: 0 Maximum: 30 Warning: 7 Inactive: -1 Last Change: Feb 27, 2005 Password Expires: Mar 29, 2005 Password Inactive: Never Account Expires: Never The account can be unlocked with usermod -U, passwd -u, or by changing the password with the passwd command as root. Why can't the user change the password, assuming he or she is already logged in? Because the user is prompted for the current password before being granted the authority to change the password. The user doesn't know the password anymore because a ! character was added when the account was locked. Root isn't required to enter the current password, which enables the root user to unlock the account with passwd. The following is an example of a locked account being unlocked with passwd. #grep dbadmin /etc/shadow dbadmin:!$1$8nF5XmBG$Pckwi8Chld..JgP5Zmc4i0:12841:0:30:7::: #passwd -u dbadmin Unlocking password for user dbadmin. passwd: Success. #grep dbadmin /etc/shadow dbadmin:$1$8nF5XmBG$Pckwi8Chld..JgP5Zmc4i0:12841:0:30:7::: /etc/passwd and /etc/shadow Corruption The passwd and shadow files can be corrupted in numerous ways: /etc/shadow might have been restored while /etc/passwd was not, incorrect file permissions could cause problems, and so on. Let's look at what happens if someone edits /etc/shadow to clear password aging information while a user attempts to change his password. Look at Dave's /etc/shadow line: dave:$1$dkdAH.dQ$DU1t04WOFGjF4BGymI/ll0:12802:0:2:7::: The system administrator is using vi to edit /etc/shadow. Before the system administrator saves the file, Dave changes his password successfully by using the passwd command. /etc/shadow shows the change to the password field: dave:$1$VGCA.Vk8$9u2b8W5eCWjtOdt6ipOlD0:12804:0:2:7::: Now the system administrator saves /etc/shadow. When the administrator tries to save the file, he sees: WARNING: The file has been changed since reading it!!! Do you really want to write to it (y/n)? Hopefully, the system administrator replies n and tries again. If not, Dave loses his password change. Look at what happens to Dave's password. It changes back to the previous value: #grep dave /etc/shadow dave:$1$dkdAH.dQ$DU1t04WOFGjF4BGymI/ll0:12802:0:2:7::: Be careful when making changes to /etc/passwd or /etc/shadow. Always try to use a command to make changes instead of editing the file. pwck Linux provides the pwck command to look for /etc/passwd and /etc/shadow problems. This command validates field entries and looks for duplicate lines. No output from pwck means it didn't identify any problems. It will not find all problems, so you might need to inspect the passwd and shadow files line by line to confirm the lines are correct. The following error is caused by user rob not having an entry in /etc/shadow. The pwck command didn't catch it. passwd rob Changing password for user rob. passwd: Authentication token manipulation error