Linux operating system password file security problem analysis

                  The format of password files for almost all Unix-like operating systems is the same, and Linux is no exception. Password security is one of the traditional security issues of the Linux operating system.

Traditional Password and Shadow Password

/etc/passwd is a password file for storing basic information about the user. Each line of the file contains password separated by colons 6 7 domain:

username: passwd: uid: gid: comments: directory: shell

from left to right over 7 The fields are described as follows:

username: is the name used by the user to log in.

passwd: is the password ciphertext domain. The ciphertext is an encrypted password. If the password passes shadow, the password ciphertext field only displays an x. Usually, the password should be shadowed to ensure security. If the password ciphertext field is displayed as *, the username is valid but cannot be logged in. If the password ciphertext field is empty, it means that the user does not need a password to log in.

uid: The number used by the system to uniquely identify the username. The uid system is assigned this way:

0 Super User

1~10 Daemon and Pseudo User
>

11~99 System Reserved User

100~ Normal User

gid: Indicates the default group number of the user. Determined by the /etc/group file.

comments: Describe the user's personal information.

directory: defines the user's initial working directory.

shell: is the shell that specifies the user to start after logging in to the system.

Table 1 lists the standard users created during the installation process. The contents of the table are consistent with the description of the /etc/passwd file.

Table 2 lists the standard user groups created during system installation, which are consistent with the /etc/group file:

Linux uses an irreversible encryption algorithm such as DES to encrypt passwords, due to encryption. The algorithm is irreversible, so it is not clear from the ciphertext. But the problem is that the /etc/passwd file is globally readable, and the encryption algorithm is public. If a malicious user gets the /etc/passwd file, he can exhaust all possible plaintexts and calculate the secret through the same algorithm. The text is compared until the same, so he cracks the password. Therefore, for this security problem, Linux/Unix widely adopts the "shadow" mechanism to transfer the encrypted password to the /etc/shadow file, which is only readable by the root superuser, and at the same time /etc/The ciphertext field of the passwd file is displayed as an x, minimizing the chance of ciphertext leaks.

Each line of the /etc/shadow file is 9 fields separated by 8 colons, in the following format:

username: passwd: lastchg: min: max: warn: inactive: expire: flag

Where:

lastchg: indicates the number of days since January 1, 1970, when the password was last modified.

min: Indicates the number of days between password changes.

max: The maximum number of days that the password will still be valid. If it is 99999, it means never expires.

warn: Indicates how many days before the password expires, the system warns the user.

inactive: Indicates the number of days when the username is invalid before login.

expire: Indicates when the user is forbidden to log in. 0

flag: meaningless, not used.

Enabling Shadow Passwords

RedHat Linux installs shadows by default. If you find that your system's /etc/passwd file still sees cipher text, it means that you have not enabled shadow. You can execute pwconv to enable shadow.

In RedHat Linux 7.1, the shadow utility (shadow utils) contains several tools that support the following functions:

Conversion tools between traditional passwords and shadow passwords: pwconv, pwunconv.

Verify passwords, groups and corresponding shadow files: pwck, grpck.

Add, delete, and modify user accounts in an industry-standard way: useradd, usermod, userdel.

Add, delete, and modify user groups in an industry-standard way: groupadd, groupmod, groupdel.

Manage files /etc/group in an industry-standard way.

The above tools can be used normally regardless of whether the system has the shadow mechanism enabled.

Change the minimum length of Linux password

The default minimum password length for Linux system is 5 characters. This length is not enough to guarantee the robustness of the password. It should be changed to the shortest 8 characters. Edit /etc /login.defs file, in this file, change

PASS_MIN_LEN 5

to:

PASS_MIN_LEN 8

Table 1

User Uid gid Directory shell
Root 0 0 /root /bin/bash

Bin 1 1 /bin

Daemon 2 2 /sbin

Adm 3 4 /Var/adm

Lp 4 7 /var/spool/lpd

Sync 5 0 /sbin /bin/sync

shutdown 6 0 /sbin /sbin/shutdown

Halt 7 0 /sbin /sbin/halt

Mail 8 12 /var/spool/mail

News 9 13 /var/spool/news

Uucp 10 14 /var/spool/uucp

Operator 11 0 /root

Games 12 100 /usr/games

Gopher 13 30 /usr/lib/gopher-data< Br>

ftp 14 50 /home/ftp

Nobody 99 99 /

Table 2

Group Gid Members

Roo t 0 Root

Bin 1 root,bin,daemon

Daemon 2 root,bin,daemon

Sys 3 root,bin,adm

Adm 4 Root,adm,daemon

Tty 5

Disk 6 Root

Lp 7 daemon,lp

Mem 8

Kmem 9< Br>

Whell 10 Root

Mail 12 Mail

News 13 News

Uucp 14 Uucp

Man 15

Games 20

Gopher 30

Dip 40

ftp 50

nobody 99

Users 100

floppy 19< Br>