LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-01-2010, 01:44 AM   #1
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Rep: Reputation: 36
shadow file password policy.


Today i was going through some of security guides written on linux .

Under shadow file security following points were mentioned.

1)The encrypted password stored under /etc/shadow file should have more than 14-25 characters.
2)Usernames in shadow file must satisfy to all the same rules as usernames in /etc/passwd.
3)password for application Username should display * if username is not locked.
4)If a user is locked it should be displayed as ! as the first character in second field of shadow file.

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?

Confusion for point 3 and 4:
There are lot of users with * as second field i guess they are not locked but according to 4th point there are lot of users with ! as first characters.
How would i check whether they are actually locked or not.

I m posting the output of /etc/shadow and /etc/passwd files for the account.

/etc/passwd
Quote:
admin:x:500:500::/home/admin:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
/etc/shadow

Quote:
admin:$1$YSmsjgr7$m3YjwsZNdQ/Z24QXGWj8O1:14879:0:99999:7:::
ntp:!!:14866:0:99999:7:::
mail:*:14866:0:99999:7:::

Last edited by pinga123; 10-01-2010 at 02:04 AM.
 
Old 10-01-2010, 03:49 AM   #2
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Original Poster
Rep: Reputation: 36
P.S:
I would also like to know the GID range of my distribution .

I can find the UID range by examining UID of nobody user but how would i find the same for GID.
 
Old 10-01-2010, 04:12 AM   #3
karthickk02
Member
 
Registered: Sep 2010
Posts: 46

Rep: Reputation: 0
this encryption made automatically by dsa and md5 encryption algorithm. this not human redable. If this human redable then everyone can access on every user. so this is good security in linux..


If you are satisfy with my ans then mark as sloved
 
Old 10-01-2010, 04:31 AM   #4
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by pinga123 View Post

Confusion for point 1 and 2:
Now i m confused as why the encrypted password should be more than 14-25 characters.
Also what rules to satisfy How to check it?
Generally md5 encryption method is used to encrypt password and it is more then 25 characters. Take a look in shadown man page. User accounts must be exists in bothe /etc/shadow and /etc/password. When you create/delete user both files automatically updated so not to worry for 2 point.

Quote from shadow man page

Quote:
The password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a thru z, A thru Z, 0
thru 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm.
For example if it starts with "$1$" it means the MD5-based algorithm was used.
Quote:
Originally Posted by pinga123 View Post
How would i check whether they are actually locked or not.
you can use passwd command to verify locked users.

Code:
# passwd -S shailesh
shailesh P 06/04/2010 0 99999 7 -1
see second character

L - locked
NP - no password
P -usable password

Quote:
I would also like to know the GID range of my distribution .
Normally GID range is also 65535.

What distro you are using ?


Hope this info help you.

Regards,
 
Old 10-01-2010, 05:30 AM   #5
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Please find the distribution details.
Quote:
# lsb_release -a
LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: OracleVMserver
Description: Oracle VM server release 2.2.0
Release: 2.2.0
Codename: n/a

Quote:
# uname -a
Linux OFSMUW-VS-61 2.6.18-128.2.1.4.9.el5xen #1 SMP Fri Oct 9 14:57:31 EDT 2009 i686 i686 i386 GNU/Linux
 
Old 10-01-2010, 08:05 AM   #6
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by pinga123 View Post
Please find the distribution details.
Not sure for that distro.
you can find info in this file.

Code:
grep UID /etc/login.defs
grep GID /etc/login.defs
Regards,
 
1 members found this post helpful.
Old 10-03-2010, 11:01 PM   #7
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Originally Posted by sem007 View Post
Not sure for that distro.
you can find info in this file.

Code:
grep UID /etc/login.defs
grep GID /etc/login.defs
Regards,
I did find the max value for GID and UID parameters.But it contradict my current setup.How its possible?

Quote:
# grep GID /etc/login.defs
GID_MIN 500
GID_MAX 60000

# grep UID /etc/login.defs
UID_MIN 500
UID_MAX 60000
For example:

Quote:
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
In above example nfsnobody user is assigned UID and GID which are not in range specified in login.defs.

However This is fresh installation and nothing is done as far as ticking the os is concerned.
 
Old 10-04-2010, 04:49 AM   #8
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Hi pinga123,

UIDs and GIDs are 32 bit.so Maximum recommended is: 65535 But the maximum allowable uid/gid is:4294967294.

Regards,
 
Old 10-04-2010, 11:42 PM   #9
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Originally Posted by sem007 View Post
Hi pinga123,

UIDs and GIDs are 32 bit.so Maximum recommended is: 65535 But the maximum allowable uid/gid is:4294967294.

Regards,
This contradicts following.
Quote:
# grep GID /etc/login.defs
GID_MIN 500
GID_MAX 60000

# grep UID /etc/login.defs
UID_MIN 500
UID_MAX 60000
Can you please put some light on it.
 
Old 10-05-2010, 02:56 AM   #10
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Hi pinga123,

65535 is recommended not default value.

UID_MAX 60000 values for automatic uid selection in useradd command.

if you want automatic uid selection higher then 60000 then change value of UID_MAX in login.defs file.

i.e UID_max 80000

Regards,
 
Old 10-05-2010, 11:39 PM   #11
pinga123
Member
 
Registered: Sep 2009
Posts: 676
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Originally Posted by sem007 View Post
Hi pinga123,

65535 is recommended not default value.

UID_MAX 60000 values for automatic uid selection in useradd command.

if you want automatic uid selection higher then 60000 then change value of UID_MAX in login.defs file.

i.e UID_max 80000

Regards,
Correct me if i m wrong.
Does this mean by using useradd command the maximum uid can be given as 60000 after that i will not be able to make any new user.
To create userid greater than 60000 all i need is to modify login.defs file.

However this dont imply to application level user ids which are assigned irrespective of what is defined in login.defs file.
 
Old 10-06-2010, 02:01 AM   #12
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Does this mean by using useradd command the maximum uid can be given as 60000 after that i will not be able to make any new user.
UID_MAX value is for automatic uid selection. if you not specify any option it will assign uniq uid automatically.

i.e
Code:
#useradd username
You can use uid higher then 60000 manually (without changing UID_MAX value) for that you have to manually assign uid with -u option.

i.e
Code:
# useradd -u uid username
Regards,
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Updating a Shadow file password through a script DRiggs Linux - Security 1 06-24-2008 04:15 PM
shadow file has !! for password field Z038 Linux - General 4 09-10-2007 07:40 AM
LXer: Recovering deleted /etc/shadow password file LXer Syndicated Linux News 0 12-21-2005 03:46 PM
How to encrypt a password to the /etc/shadow file? Milosevic Linux - Newbie 2 12-13-2005 02:14 PM
Apache and shadow password file fortezza Linux - Security 2 07-31-2005 06:49 PM


All times are GMT -5. The time now is 08:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration