LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-07-2005, 08:28 AM   #1
Timur Sakayev
LQ Newbie
 
Registered: Dec 2004
Location: Fairfield, CT
Distribution: Mandrake, SUSE, RH
Posts: 21

Rep: Reputation: 15
Shadow file question


I'm a bit puzzled here.

I am trying to move accounts from Mandrake 10.1 to RH ES. As a part of the setup process of RH, i created an account for myself with the same password as on the M. Now, when i look at the shadow files of both machines, the hashes for my accounts are different. At the same time when i recreated some of other users on the RH and pasted the hashes from M's shadow file, i'm able to login without a problem (at least via FTP). So why is it that in one scenraio, when the password is the same, the hashes are different?

Thanks,

Tim
 
Old 06-07-2005, 09:43 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
The salts are different. A password field looks something like this:
Code:
$1$xxxxxxxx$yyyyyyyyyyyy
The "1" says that this is an MD5 hash, the string of 8 x's is the salt, and the remainder is the hashed password. The salt is used in hashing the password, so that if you used two different salts on the same password, you'd have two different hashes.
 
Old 06-07-2005, 09:57 AM   #3
int0x80
Member
 
Registered: Sep 2002
Posts: 310

Rep: Reputation: Disabled
As an addendum, you don't want a user to know if s/he has the same password as another user. By using different salts, you can allow multiple users to have the same password without having identical shadow entries.

Berhanie basically covered the technical aspects.
 
Old 06-07-2005, 10:05 AM   #4
samael26
Member
 
Registered: Oct 2004
Location: France, Provence
Distribution: Debian
Posts: 848

Rep: Reputation: 30
To check if an entered password matches, just apply the identical mathematical algorithm

to it : if it matches, then the password is correct. This is how the login command works.

Sometimes you will see a * in place of a hashed password. This means the account has

been disabled.

source : Rute User's Tutorial and Exposition by Paul Sheer.
 
Old 06-07-2005, 10:20 AM   #5
Timur Sakayev
LQ Newbie
 
Registered: Dec 2004
Location: Fairfield, CT
Distribution: Mandrake, SUSE, RH
Posts: 21

Original Poster
Rep: Reputation: 15
:-)

Berhanie, GNUbie and samael26,

Thank you very much for the quick response. This wasn't a critical issue, - i just don't like to leave something as "i don't get it, but since it is working - i don't bother figuring it out"

Thanks again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/shadow file missing Computergirl24 Linux - Software 3 08-28-2008 06:28 AM
shadow file os2 Linux - Security 3 10-18-2005 03:20 PM
Shadow File Crack Elbryan Linux - Security 2 02-22-2005 05:00 PM
shadow file stevee Linux - Security 1 10-07-2003 10:11 AM
shadow file? tjm Linux - Security 4 09-15-2003 04:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration