[SOLVED] 13 character string in shadow file, what is it?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
so I'm looking on a Redhat 6.2 machine. looking at the shadow file I see an entry similar to:
xyz1:6ern677SUvBpo:16745:1:90:14:::
looking at the machine and running
/usr/bin/authconfig --test | grep hashing
I get sha512
From what I read I thought the password string would be in the form of (making this up)
$6$3WWbKfr1$4vblknvGr6FcDeF92R5xF/n3mskfdnEnnWNtLdl.Etq5oLVqj.UVhoWJKF4.FstCXcrj4SkARtpAigfRm1
The string I have doesn't look anything like that. Its 13 characters, almost looks compressed. What am I looking at exactly? can I unravel 6ern677SUvBpo to something that is $6$.../.... form?
It looks like you don't have sha512 hashing enabled (the default is MD5, when other options are not available).
There are a number of different options for hashing passwords. RH should be using the authconfig utility to set the chosen option for a number of different utilities. To see what is set use "authconfig --test", and it will list the currently configured items. Since most shell level logins are based on pam, the pam_unix manpage lists the options available to it.
One thing - the 13 character size implies it is using DES... There really should be more options. At the moment I don't have access to a 6.2 version(I'm using Fedora 16), but there should be MD5, bigcrypt, sha256, sha512, blowfish.
Both of the above pots are excellent responses. Here is a simplified answer for the OP as this being their first post, I don't know if these responses will make sense or not.
The Shadow file contains the login credentials including the password. A long time ago, this used to be contained in the passwd file but this was moved elsewhere both for enhanced security and because the information in the passwd file is useful for other purposes. In the shadow file, the password is stored in what is called a hashed format. The password if passed through a cryptographic algorithm that provides a one way translation that is repeatable, has high uniqueness, and difficult to reverse. The purpose behind this is so that a password can be entered by a user, hashed and then compared against the stored hash. This way the system doesn't need to store the actual password and it is very difficult to get the password from the stored hash value. The default hash is md5. Because of advances in processing capability and the prevalence of what are called rainbow tables which provide large numbers of password : hash lists for the purpose of cracking passwords, there has been a shift to larger, more complicated hashes such as SHA512, both of which are mentioned in the posts above.
/usr/bin/authconfig --test | grep hashing
I get sha512
which btw matches my Centos 6.3
If I was paranoid I'd say someone has been in and changed it to eg DES, set passwd, then reset to default.
I would definitely change passwd and check the entry again.
If it is still only 13 chars, it suggests some file(s) has/have been replaced eg passwd cmd?
Even if it is set to sha512, if the library doesn't support it, it should be using MD5. But if that isn't supported either, then DES is what is used.
reference: man 3 crypt, glibc2 version (and above) should recognize many. The format of the password hash is:
Code:
Glibc Notes
The glibc2 version of this function supports additional encryption
algorithms.
If salt is a character string starting with the characters "$id$" fol‐
lowed by a string terminated by "$":
$id$salt$encrypted
then instead of using the DES machine, id identifies the encryption
method used and this then determines how the rest of the password
string is interpreted. The following values of id are supported:
ID | Method
─────────────────────────────────────────────────────────
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
So $5$salt$encrypted is an SHA-256 encoded password and
$6$salt$encrypted is an SHA-512 encoded one.
"salt" stands for the up to 16 characters following "$id$" in the salt.
The encrypted part of the password string is the actual computed pass‐
word. The size of this string is fixed:
MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters
The characters in "salt" and "encrypted" are drawn from the set
[a–zA–Z0–9./]. In the MD5 and SHA implementations the entire key is
significant (instead of only the first 8 bytes in DES).
Yeah, manual edit is simpler than messing with cmds, but as per jpollard, it would mean a fresh install (when you've extracted any evidence etc) as you can't trust anything after someone has been in as root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
