LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-26-2003, 10:33 PM   #1
granny
Member
 
Registered: Nov 2002
Distribution: RH
Posts: 141

Rep: Reputation: 15
/etc/shadow and useradd -p usermod -p


ok weird...

RH 7.3

When I do a useradd -p to add a new user and specify a password for the user, it actually displays in the /etc/shadow file in plain text.

If I do usermod -p on an existing user, it decrypts the hash in /etc/shadow and shows the plain text password.

Why? And how can I fix this?

If I use the passwd command, it is encrypted fine.

TIA!!
 
Old 08-28-2003, 02:29 PM   #2
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
-p passwd
The encrypted password, as returned by crypt(3). The default is to disable the account.


From my useradd on Debian. Don't give it the cleartext password. :)

Have fun,
chris
 
Old 08-28-2003, 11:22 PM   #3
granny
Member
 
Registered: Nov 2002
Distribution: RH
Posts: 141

Original Poster
Rep: Reputation: 15
huh?
 
Old 08-29-2003, 01:24 AM   #4
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
granny,

Short answer is just to use the 'passwd' command. It's the standard way of setting the password. It usually uses PAM (Password Authentication Modules) for this.

The useradd and usermod programs expect a previously encrypted password. Not the plain text, as they write it directly to /etc/shadow. You're seeing the password in /etc/shadow, right? (If not, I haven't understood your message :<( ) It could be different in RH 7.3, but I doubt it. Read the man page 'man useradd' to see what it says for the "-p" option.

I'll try to walk you through what I think is happening. ($ is the command line, # is a comment.)
Code:
# Add the user
$ useradd -p test1 test1
# This is the command you are using, right?

# Print out the line in shadow
$ grep test1 /etc/shadow
test1:test1:12293:0:99999:7:::
# Notice the plaintext password of test1, and this shouldn't work.

# Now, we will generate a "crypted" password.
# A crypted password is 13 characters, the first two are the "salt"
# debian has a command called "mkpasswd" that does this.
# Another way is to use the openssl command which should be available
$ openssl passwd test1
NYetuFTIgHVpo

# Now put the password into /etc/shadow
$usermod -p NYetuFTIgHVpo test1

# What does it look like now?
$ grep test1 /etc/shadow
test1:NYetuFTIgHVpo:12293:0:99999:7:::

# This is what it should look like
Please note that putting the password on the command line is BAD ('openssl passwd test1' and even 'usermod -p NYetuFTIgHVpo test1'.) Bad, because bash will save the command to ~/.bash_history. Even worse, is that any user could be running ps and see the command, with the users password. If you don't put the password on the command line 'openssl passwd' will ask much like the standard 'passwd'. I used it for clarity (hopefully the meaning is clear above.)

While I'm on the subject, it is possible to use a MD5 hash instead of the DES crypt. It will look something like this in /etc/shadow "$1$oGnDy2jS$Ht4kvgGKIZhQzoCoGnKQl1". The "$1" means it is a "version 1" md5 hash, and the characters between the next two dollar signs are the salt. Left over is the hash. On older systems, it probably requires an upgrade, and is much easier if the distro does it. It requires all the programs that touch /etc/shadow to be aware. If PAM is used by everything, then that is the only thing that needs to be upgraded (or installing the proper module)

Hopefully this makes sense,
chris
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
usermod, beyond passwd & shadow Hans Zilles Linux - General 0 11-26-2005 06:29 PM
useradd not found, but shadow is installed Ziax Fedora 2 10-16-2005 06:37 AM
useradd without shadow password twallstr Linux - Software 1 09-08-2005 03:14 PM
usermod and useradd problem kenji Linux - Newbie 4 02-23-2005 12:10 PM
usermod / useradd ? bibilit Linux - Software 1 12-19-2003 03:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:13 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration