:Taken from CoTNO 5:
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
                 
                 
                     
                     Notes on Unix Password Security
                                  by
                                Voyager
                          will@gnu.ai.mit.edu
Introduction
~~~~~~~~~~~~
Standard Unix implementations keep user passwords in the file
/etc/passwd.  An entry in the password file consists of seven colon
delimited fields:
Username
Encrypted password (And optional password aging data)
User number
Group Number
GECOS Information
Home directory
Shell
]
] Sample entry from /etc/passwd:
]
] will:5fg63fhD3d:9406:12:Will Spencer:/home/fsg/will:/bin/bash
]
Broken down, this passwd file line shows:
          Username: will
Encrypted password: 5fg63fhD3d
       User number: 9406
      Group Number: 12
 GECOS Information: Will Spencer
    Home directory: /home/fsg/will
             Shell: /bin/bash
Password Aging
~~~~~~~~~~~~~~
On some systems you will find passwd entries with password aging
installed. Password aging forces the user to change passwords after a
System Administrator specified period of time.  Password aging can
also force a user to keep a password for a certain number of weeks
before changing it.
]
] Sample entry from /etc/passwd with password aging installed:
]
] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash
]
Note the comma in the encrypted password field.  The characters after
the comma are used by the password aging mechanism.
]
] Password aging characters from above example:
]
] M.z8
]
The four characters are interpreted as follows:
  1: Maximum number of weeks a password can be used before changing
  2: Minimum number of weeks a password must be used before changing
3&4: Last time password was changed, in number of weeks since 1970/1/1
Three special cases should be noted:
If the first and second characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in.  The
passwd program will then remove the passwd aging characters, and the
user will not be subjected to password aging requirements again.
If the third and fourth characters are set to '..' the user will be
forced to change his/her passwd the next time he/she logs in. Password
aging will then occur as defined by the first and second characters.
If the first character (MAX) is less than the second character (MIN),
the user is not allowed to change his/her password.  Only root can
change that users password.
It should also be noted that the su command does not check the
password aging data.  An account with an expired password can be su'd
to without being forced to change the password.
The password aging codes are in base-64 format, and can be converted to
decimal using the following table:
                        Password Aging Codes
+------------------------------------------------------------------------+
|                                                                        |
| Character:  .  /  0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  G  H |
|    Number:  0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 |
|                                                                        |
| Character:  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z  a  b |
|    Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
|                                                                        |
| Character:  c  d  e  f  g  h  i  j  k  l  m  n  o  p  q  r  s  t  u  v |
|    Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
|                                                                        |
| Character:  w  x  y  z                                                 |
|    Number: 60 61 62 63                                                 |
|                                                                        |
+------------------------------------------------------------------------+
Password Aging Defaults
~~~~~~~~~~~~~~~~~~~~~~~
System wide defaults for password aging are stored in the file
/etc/default/passwd.
]
] Sample entry from /etc/default/passwd under System V release 4.0
]
] MINWEEKS=0
] MAXWEEKS=500
] PASSLENGTH=5
] WARNWEEKS=1
]
MINWEEKS is the default minimum number of weeks a password must be
used before changing.  MAXWEEKS is the default maximum number of weeks
a password can be used before changing.  PASSLENGTH is the minimum
number of characters a password may contain.  WARNWEEKS, which did not
exist prior to System V Release 4, is the number of weeks a user is
warned that they must change their password.
Password Shadowing
~~~~~~~~~~~~~~~~~~
Due to basic design aspects of the Unix system, the file /etc/passwd
is world readable.  This allows password crackers to steal the
encrypted passwords and attempt to crack them.  Newer versions of Unix
use a scheme known as shadowing to alleviate this problem.
On a Unix system with password shadowing, the encrypted password field
of the password file is replaced by a special token.  When the login
and passwd programs see this token in the password field, they switch
to the shadowed copy of the password file for the actual encrypted
password field. The shadowed copy of the password file is readable
only by root and the login and passwd programs run SUID root.
Defeating Password Shadowing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Password shadowing can be defeated on some systems by using
getpwent(), as in the following program.  Successive calls to
getpwent() are made for every line in the passwd file.  This method
only works for older password shadowing schemes.
] #include <pwd.h>
] main()
] {
] struct passwd *p;
] while(p=getpwent())
] printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
] p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
] }
On systems where getpwent() fails, it is possible to utilize the
pwdauth() function for similar purposes.  Note that the pwdauth()
function is purposefully designed to operate very slowly.  This
program shows the basics of pwdauth(), for a more complete example of
a cracker utilitizing pwdauth() refer to Shadow Crack from The
Shining/UPi.
]
] #define MAXLOGIN 8
] #define MAXPASS 8
]
] main()
] {
]
] char login[MAXLOGIN];
] char password[MAXPASS];
] 
] printf("login: ");
] scanf("%s", login);
] 
] printf("password: ");
] scanf("%s", password);
]  
]
] if (pwdauth(login,password) == 0 )
]     printf("Correct!\n");
]     else printf("Wrong!\n");
] }
] 
A third method of defeating password shadowing is to have root
priveleges, as root is able to read the shadowed password file
directly.
The following chart show the location of the shadowed password
information and the token left in the /etc/passwd file by various
versions of Unix.
]
] Unix                  Path                            Token
] -----------------------------------------------------------------
] AIX 3                 /etc/security/passwd            !
]        or             /tcb/auth/files/<first letter   #
]                             of username>/<username>
] A/UX 3.0s             /tcb/files/auth/?/*
] BSD4.3-Reno           /etc/master.passwd              *
] ConvexOS 10           /etc/shadpw                     *
] ConvexOS 11           /etc/shadow                     *
] DG/UX                 /etc/tcb/aa/user/               *
] EP/IX                 /etc/shadow                     x
] HP-UX                 /.secure/etc/passwd             *
] IRIX 5                /etc/shadow                     x
] Linux 0.99            /etc/shadow                     *
] OSF/1                 /etc/passwd[.dir|.pag]          *
] SCO UNIX R3.2v4.2     /etc/shadow                     x
] SCO Unix 3.2.x        /tcb/auth/files/<first letter   *
]                             of username>/<username>
] SunOS 4.1+c2          /etc/security/passwd.adjunct    ##username
] SunOS 5.0             /etc/shadow
]                       <optional NIS+ private secure maps/tables/whatever>
] System V Release 3.2  /etc/shadow                     x
] System V Release 4.0  /etc/shadow                     x
] System V Release 4.2  /etc/security/* database
] Ultrix 4              /etc/auth[.dir|.pag]            *
] UNICOS                /etc/udb                        *
]
Format of the shadowed password file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The format of the shadowed password file differs under various Unix
implementations.  Many implementations follow the original System V
Release 3.2, while others opt for a more complicated yet more
efficient database structure.
An entry in the System V Release 3.2 shadow file consists of five
colon delimited fields:
Username
Encrypted password (And optional password aging data)
Last time password was changed, in number of days since 1970/1/1
Minimum number of days a password must be used before changing
Maximum number of days a password can be used before changing
System V Release 4 introduced three more fields to the shadow file:
The number of days before the password expires that the user will be warned
The number of days of inactivity allowed for the user
The absolute expiration date for the account
]
] Sample entry from /etc/shadow under System V release 4.0
]
] will:5fg63fhD3d:8960:1:60:10:90:10000
]
Broken down, this shadow file line shows:
          Username: will
Encrypted password: 5fg63fhD3d
       Last change: 8960  (Password was last changed on
      Minimum days: 1     (Password must be kept for 1 day without changing)
      Maximum days: 60    (Password must be changed every 60 days)
      Warning days: 10    (User receives 10 days warning of required
                           password change)
   Inactivity days: 90    (Account disabled if not used for 90 days)
   Expiration date: 10000 (Account expires on
The SunOS adjunct system
~~~~~~~~~~~~~~~~~~~~~~~~
Sun Microsystems introduced changes in their version of the shadow
file in SunOS 4.1.
An entry in the SunOS passwd.adjunt file consists of seven colon
delimited fields:
Username
Encrypted password (And optional password aging data)
]
] Sample entry from /etc/security/passwd.adjunt under SunOS 4.1
]
] will:5fg63fhD3d::::ad,p0,p1:dr,dw,dc,da,lo
]
Broken down, this passwd.adjunt line shows:
               Username: will
     Encrypted password: 5fg63fhD3d
Minimum login clearance:
Maximum login clearance:
Default login clearance:
           Always audit: ad,p0,p1
            Never audit: dr,dw,dc,da,lo
NIS
~~~
NIS (Network Information System) in the current name for what was once
known as yp (Yellow Pages).  The purpose for NIS is to allow many
machines on a network to share configuration information, including
password data.  NIS is not designed to promote system security.  If
your system uses NIS you will have a very short /etc/passwd file that
includes a line that looks like this:
+::0:0:::
To view the real password file use this command "ypcat passwd"
Password cracking
~~~~~~~~~~~~~~~~~
Contrary to popular belief, Unix passwords cannot be decrypted.  Unix
passwords are encrypted with a one way function.  The login program
encrypts the text you enter at the "password:" prompt and compares
that encrypted string against the encrypted form of your password.
Password cracking software uses wordlists.  The password cracking
program encrypts each word in the wordlist and compares that encrypted
string against the encrypted form of the password.  If the encrypted
forms match, the password is known.
To crack passwords, you will need a password cracking program and a
wordlist.  The best cracking program for Unix passwords is currently
Crack by Alec Muffett.  For PC-DOS, the best package to use is
currently CrackerJack.  Larger wordlists will allow you to crack more
accounts.