LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-26-2011, 12:19 PM   #1
themanwhowas
Member
 
Registered: Nov 2005
Distribution: CentOS 5, BT5, Slackware 12.0
Posts: 207

Rep: Reputation: 29
shadow password hashes


Hey guys

Two questions, 1 - Is the following correct:

The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used. A salt follows this, followed by the password hash. When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.

So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?


question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?


Thank you
 
Old 04-26-2011, 12:27 PM   #2
nomb
Member
 
Registered: Jan 2006
Distribution: Debian Testing
Posts: 675

Rep: Reputation: 58
Quote:
Originally Posted by themanwhowas View Post
Hey guys

Two questions, 1 - Is the following correct:

The /etc/shadow file contains an id of $1$, $2$, $5$ or $6$ to show the encryption method used. A salt follows this, followed by the password hash. When a user is created and a password is set, a hash is RANDOMLY generated and used as the salt to the password hash. Everytime that user logs in, login checks /etc/shadow for the $id$ and salt and runs the password given by the user through the hash mechanism ($id$) using the salt in /etc/shadow.

So basically does login look at /etc/shadow for the $id$ and salt to create a hash with which to compare to the /etc/shadow hash?


question 2 - If my $id$ was $5$, which is sha256, how would i go about changing this? Like is there a shadow.conf or crypt.conf or something? Can i change it per user?


Thank you
Just after a quick once over that looks correct.

Some distros have a command which will change all the appropriate files for you, but in a nutshell you will need to change PAM and the system itself.

Take a look at (again may be different in other distros):
/etc/pam.d/password
/etc/default/password
/etc/login.defs

After you change the type of hash, you will have to regenerate the password hashes for your users.
 
Old 04-26-2011, 01:32 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by nomb
Some distros have a command which will change all the appropriate files for you, but in a nutshell you will need to change PAM and the system itself.
That's right. It is a good idea to include your distro / version in your initial post.

Quote:
Originally Posted by nomb
After you change the type of hash, you will have to regenerate the password hashes for your users.
Just to add some clarity: the original (pre-change) hash will still be supported in the sense that users with existing passwords should still be able to authenticate. But any passwd(1) changes from that point (post-change) going forward will use the new hash. You could conceivably have a shadow(5) file that contains users with both hash types.
 
  


Reply

Tags
crypt, hash, login, password, shadow


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
password expiration /etc/shadow itik Linux - Newbie 3 07-25-2008 01:17 PM
Shadow Password linuxjamil Linux - Server 1 08-04-2007 06:13 AM
shadow password - password field ayhopkins Linux - Security 8 11-17-2005 06:25 AM
useradd without shadow password twallstr Linux - Software 1 09-08-2005 03:14 PM
shadow password wincrk Linux - Security 3 03-16-2003 10:07 PM


All times are GMT -5. The time now is 08:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration