LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-21-2010, 01:57 AM   #1
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Rep: Reputation: 36
/etc/shadow file help needed.


I was reading a security manual and stuck at following statements over /etc/shadow file .

1)How would i check if Lines in the /etc/shadow file are in valid format as checked by the pwconv program?
 
Old 10-21-2010, 02:07 AM   #2
prayag_pjs
Senior Member
 
Registered: Feb 2008
Location: Pune - India
Distribution: Fedora,RedHat,CentOS,Gentoo
Posts: 1,138
Blog Entries: 4

Rep: Reputation: 147Reputation: 147
Hi,

Please elaborate and let us know your exact problem?

For your information:
pwconv is system administration command to convert unshadowed entries in /etc/passwd into shadowed entries in /etc/shadow. Replace the encrypted password in /etc/password with an x. Shadowing passwords keeps them safe from password-cracking programs. pwconv creates additional expiration information for the /etc/shadow file from entries in your /etc/login.defs file. If you add new entries to the /etc/passwd file, you can run pwconv again to transfer the new information to /etc/shadow. Already shadowed entries are ignored. pwunconv restores the encrypted passwords to your /etc/passwd file and removes the /etc/shadow file. Some expiration information is lost in the conversion. See also grpconv and grpunconv.
 
Old 10-21-2010, 02:21 AM   #3
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Originally Posted by prayag_pjs View Post
Hi,

Please elaborate and let us know your exact problem?

For your information:
pwconv is system administration command to convert unshadowed entries in /etc/passwd into shadowed entries in /etc/shadow. Replace the encrypted password in /etc/password with an x. Shadowing passwords keeps them safe from password-cracking programs. pwconv creates additional expiration information for the /etc/shadow file from entries in your /etc/login.defs file. If you add new entries to the /etc/passwd file, you can run pwconv again to transfer the new information to /etc/shadow. Already shadowed entries are ignored. pwunconv restores the encrypted passwords to your /etc/passwd file and removes the /etc/shadow file. Some expiration information is lost in the conversion. See also grpconv and grpunconv.
Is there any way of validating entries in /etc/shadow files using pwconv utility?
for example is there any way of running pwconv utility and making sure that /etc/shadow file is upto date or valid.

Exact statement from book.
Quote:
Lines in the /etc/shadow file must have a valid format either as checked by the pwconv program, or must meet the following requirements:

* 2.4.2.1 Line Format: Each line must have nine (9) colon-separated fields. There must be no blank lines (including the last line). The nine fields are interpreted as follows:

usernameassword:lastchg:min:max:warn:inactive:expire:flag


*Note: The first two fields must not be blank.


* 2.4.2.2 Valid User: Usernames must directly correspond to usernames which exist in /etc/passwd or in an enabled name service (e.g., LDAP, NIS) password map, and must conform to all the same rules as usernames in /etc/passwd.

* 2.4.2.3 Duplicate Usernames: There must be no duplicate usernames. Each line must contain a unique username.

* 2.4.2.4 Passwords: Passwords in /etc/shadow must be in compliance to the published AS Authentication & Password Policy published at URL:



In addition the encrypted password stored in the 2nd (ie: passwd) field of the shadow file must have 13-24 characters as per specified in the LINUX section 5 man page for shadow file format.

* 2.4.2.5 uid=0 Passwords: Passwords for uid=0 accounts must not be the same as those used for other accounts.

* 2.4.2.6 File Permissions: The /etc/shadow file must be owned by root and have permissions of 0400.

* 2.4.2.7 Locked Accounts: All accounts that are locked or do not require the ability to login to the system must conform to section 3.4.1.2 of this document along with having a single exclamation mark "!" as the first character of the 2nd (ie: passwd ) field of the shadow file entry.
I m confused over first line "as checked by the pwconv program" Which option to use for checking ?

Last edited by pinga123; 10-21-2010 at 02:25 AM.
 
Old 10-21-2010, 02:58 AM   #4
honeybadger
Member
 
Registered: Aug 2007
Location: India
Distribution: Slackware (mainly) and then a lot of others...
Posts: 855

Rep: Reputation: Disabled
Hi there,
you can log in as the root and open the shadow file and see for yourself what the file entries look like.
Is this what you are looking for?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/shadow file imprise Linux - Newbie 4 05-18-2009 03:28 PM
How to set getpwnam to read a file instead /etc/shadow file ZAMO Linux - General 1 02-02-2009 09:25 AM
/etc/shadow file. BryMAy Linux - Security 10 08-22-2008 01:43 PM
Shadow file honey bee Linux - Newbie 4 01-05-2008 04:14 AM
shadow file? tjm Linux - Security 4 09-15-2003 05:23 PM


All times are GMT -5. The time now is 05:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration