LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   shadow file password policy. (http://www.linuxquestions.org/questions/linux-newbie-8/shadow-file-password-policy-835554/)

pinga123 10-01-2010 02:44 AM

shadow file password policy.
 
Today i was going through some of security guides written on linux .

Under shadow file security following points were mentioned.

1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.
2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.
3)password for application Username should display * if username is not locked.
4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?

Confusion for point 3 and 4:
There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.
How would i check whether they are actually locked or not.

I m posting the output of /etc/shadow and /etc/passwd files for the account.

/etc/passwd
Quote:

admin:x:500:500::/home/admin:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
/etc/shadow

Quote:

admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::
ntp:!!:14866:0:99999:7:::
mail:*:14866:0:99999:7:::

pinga123 10-01-2010 04:49 AM

P.S:
I would also like to know the GID range of my distribution .

I can find the UID range by examining UID of nobody user but how would i find the same for GID.

karthickk02 10-01-2010 05:12 AM

this encryption made automatically by dsa and md5 encryption algorithm. this not human redable. If this human redable then everyone can access on every user. so this is good security in linux..


If you are satisfy with my ans then mark as sloved

sem007 10-01-2010 05:31 AM

Quote:

Originally Posted by pinga123 (Post 4114441)

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?

Generally md5 encryption method is used to encrypt password and it is more then 25 characters. Take a look in shadown man page. User accounts must be exists in bothe /etc/shadow and /etc/password. When you create/delete user both files automatically updated so not to worry for 2 point.

Quote from shadow man page

Quote:

The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a thru z, A thru Z, 0
thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm.
For example if it starts with "$1$" it means the MD5-based algorithm was used.
Quote:

Originally Posted by pinga123 (Post 4114441)
How would i check whether they are actually locked or not.

you can use passwd command to verify locked users.

Code:

# passwd -S shailesh
shailesh P 06/04/2010 0 99999 7 -1

see second character

L - locked
NP - no password
P -usable password

Quote:

I would also like to know the GID range of my distribution .
Normally GID range is also 65535.

What distro you are using ?


Hope this info help you.

Regards,

pinga123 10-01-2010 06:30 AM

Please find the distribution details.
Quote:

# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: OracleVMserver
Description: Oracle VM server release 2.2.0
Release: 2.2.0
Codename: n/a

Quote:

# uname -a
Linux OFSMUW-VS-61 2.6.18-128.2.1.4.9.el5xen #1 SMP Fri Oct 9 14:57:31 EDT 2009 i686 i686 i386 GNU/Linux

sem007 10-01-2010 09:05 AM

Quote:

Originally Posted by pinga123 (Post 4114609)
Please find the distribution details.

Not sure for that distro.
you can find info in this file.

Code:

grep UID /etc/login.defs
grep GID /etc/login.defs

Regards,

pinga123 10-04-2010 12:01 AM

Quote:

Originally Posted by sem007 (Post 4114730)
Not sure for that distro.
you can find info in this file.

Code:

grep UID /etc/login.defs
grep GID /etc/login.defs

Regards,

I did find the max value for GID and UID parameters.But it contradict my current setup.How its possible?

Quote:

# grep GID /etc/login.defs
GID_MIN 500
GID_MAX 60000

# grep UID /etc/login.defs
UID_MIN 500
UID_MAX 60000

For example:

Quote:

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
In above example nfsnobody user is assigned UID and GID which are not in range specified in login.defs.

However This is fresh installation and nothing is done as far as ticking the os is concerned.

sem007 10-04-2010 05:49 AM

Hi pinga123,

UIDs and GIDs are 32 bit.so Maximum recommended is: 65535 But the maximum allowable uid/gid is:4294967294.

Regards,

pinga123 10-05-2010 12:42 AM

Quote:

Originally Posted by sem007 (Post 4117016)
Hi pinga123,

UIDs and GIDs are 32 bit.so Maximum recommended is: 65535 But the maximum allowable uid/gid is:4294967294.

Regards,

This contradicts following.
Quote:

# grep GID /etc/login.defs
GID_MIN 500
GID_MAX 60000

# grep UID /etc/login.defs
UID_MIN 500
UID_MAX 60000
Can you please put some light on it.

sem007 10-05-2010 03:56 AM

Hi pinga123,

65535 is recommended not default value.

UID_MAX 60000 values for automatic uid selection in useradd command.

if you want automatic uid selection higher then 60000 then change value of UID_MAX in login.defs file.

i.e UID_max 80000

Regards,

pinga123 10-06-2010 12:39 AM

Quote:

Originally Posted by sem007 (Post 4118055)
Hi pinga123,

65535 is recommended not default value.

UID_MAX 60000 values for automatic uid selection in useradd command.

if you want automatic uid selection higher then 60000 then change value of UID_MAX in login.defs file.

i.e UID_max 80000

Regards,

Correct me if i m wrong.
Does this mean by using useradd command the maximum uid can be given as 60000 after that i will not be able to make any new user.
To create userid greater than 60000 all i need is to modify login.defs file.

However this dont imply to application level user ids which are assigned irrespective of what is defined in login.defs file.

sem007 10-06-2010 03:01 AM

Quote:

Does this mean by using useradd command the maximum uid can be given as 60000 after that i will not be able to make any new user.
UID_MAX value is for automatic uid selection. if you not specify any option it will assign uniq uid automatically.

i.e
Code:

#useradd username
You can use uid higher then 60000 manually (without changing UID_MAX value) for that you have to manually assign uid with -u option.

i.e
Code:

# useradd -u uid username
Regards,


All times are GMT -5. The time now is 09:40 PM.