:Taken from CoTNO 5:
<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>=<CoTNo>
Notes on Unix Password Security by Voyager will@gnu.ai.mit.edu
Introduction ~~~~~~~~~~~~ Standard Unix implementations keep user passwords in the file /etc/passwd. An entry in the password file consists of seven colon delimited fields:
Username Encrypted password (And optional password aging data) User number Group Number GECOS Information Home directory Shell
] ] Sample entry from /etc/passwd: ] ] will:5fg63fhD3d:9406:12:Will Spencer:/home/fsg/will:/bin/bash ]
Broken down, this passwd file line shows:
Username: will Encrypted password: 5fg63fhD3d User number: 9406 Group Number: 12 GECOS Information: Will Spencer Home directory: /home/fsg/will Shell: /bin/bash
Password Aging ~~~~~~~~~~~~~~ On some systems you will find passwd entries with password aging installed. Password aging forces the user to change passwords after a System Administrator specified period of time. Password aging can also force a user to keep a password for a certain number of weeks before changing it.
] ] Sample entry from /etc/passwd with password aging installed: ] ] will:5fg63fhD3d,M.z8:9406:12:Will Spencer:/home/fsg/will:/bin/bash ]
Note the comma in the encrypted password field. The characters after the comma are used by the password aging mechanism.
] ] Password aging characters from above example: ] ] M.z8 ]
The four characters are interpreted as follows:
1: Maximum number of weeks a password can be used before changing 2: Minimum number of weeks a password must be used before changing 3&4: Last time password was changed, in number of weeks since 1970/1/1
Three special cases should be noted:
If the first and second characters are set to '..' the user will be forced to change his/her passwd the next time he/she logs in. The passwd program will then remove the passwd aging characters, and the user will not be subjected to password aging requirements again.
If the third and fourth characters are set to '..' the user will be forced to change his/her passwd the next time he/she logs in. Password aging will then occur as defined by the first and second characters.
If the first character (MAX) is less than the second character (MIN), the user is not allowed to change his/her password. Only root can change that users password.
It should also be noted that the su command does not check the password aging data. An account with an expired password can be su'd to without being forced to change the password.
The password aging codes are in base-64 format, and can be converted to decimal using the following table:
Password Aging Codes +------------------------------------------------------------------------+ | | | Character: . / 0 1 2 3 4 5 6 7 8 9 A B C D E F G H | | Number: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | | | | Character: I J K L M N O P Q R S T U V W X Y Z a b | | Number: 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | | | | Character: c d e f g h i j k l m n o p q r s t u v | | Number: 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | | | | Character: w x y z | | Number: 60 61 62 63 | | | +------------------------------------------------------------------------+
Password Aging Defaults ~~~~~~~~~~~~~~~~~~~~~~~ System wide defaults for password aging are stored in the file /etc/default/passwd.
] ] Sample entry from /etc/default/passwd under System V release 4.0 ] ] MINWEEKS=0 ] MAXWEEKS=500 ] PASSLENGTH=5 ] WARNWEEKS=1 ]
MINWEEKS is the default minimum number of weeks a password must be used before changing. MAXWEEKS is the default maximum number of weeks a password can be used before changing. PASSLENGTH is the minimum number of characters a password may contain. WARNWEEKS, which did not exist prior to System V Release 4, is the number of weeks a user is warned that they must change their password.
Password Shadowing ~~~~~~~~~~~~~~~~~~ Due to basic design aspects of the Unix system, the file /etc/passwd is world readable. This allows password crackers to steal the encrypted passwords and attempt to crack them. Newer versions of Unix use a scheme known as shadowing to alleviate this problem.
On a Unix system with password shadowing, the encrypted password field of the password file is replaced by a special token. When the login and passwd programs see this token in the password field, they switch to the shadowed copy of the password file for the actual encrypted password field. The shadowed copy of the password file is readable only by root and the login and passwd programs run SUID root.
Defeating Password Shadowing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Password shadowing can be defeated on some systems by using getpwent(), as in the following program. Successive calls to getpwent() are made for every line in the passwd file. This method only works for older password shadowing schemes.
] #include <pwd.h> ] main() ] { ] struct passwd *p; ] while(p=getpwent()) ] printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, ] p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); ] }
On systems where getpwent() fails, it is possible to utilize the pwdauth() function for similar purposes. Note that the pwdauth() function is purposefully designed to operate very slowly. This program shows the basics of pwdauth(), for a more complete example of a cracker utilitizing pwdauth() refer to Shadow Crack from The Shining/UPi.
] ] #define MAXLOGIN 8 ] #define MAXPASS 8 ] ] main() ] { ] ] char login[MAXLOGIN]; ] char password[MAXPASS]; ] ] printf("login: "); ] scanf("%s", login); ] ] printf("password: "); ] scanf("%s", password); ] ] ] if (pwdauth(login,password) == 0 ) ] printf("Correct!\n"); ] else printf("Wrong!\n"); ] } ]
A third method of defeating password shadowing is to have root priveleges, as root is able to read the shadowed password file directly.
The following chart show the location of the shadowed password information and the token left in the /etc/passwd file by various versions of Unix.
] ] Unix Path Token ] ----------------------------------------------------------------- ] AIX 3 /etc/security/passwd ! ] or /tcb/auth/files/<first letter # ] of username>/<username> ] A/UX 3.0s /tcb/files/auth/?/* ] BSD4.3-Reno /etc/master.passwd * ] ConvexOS 10 /etc/shadpw * ] ConvexOS 11 /etc/shadow * ] DG/UX /etc/tcb/aa/user/ * ] EP/IX /etc/shadow x ] HP-UX /.secure/etc/passwd * ] IRIX 5 /etc/shadow x ] Linux 0.99 /etc/shadow * ] OSF/1 /etc/passwd[.dir|.pag] * ] SCO UNIX R3.2v4.2 /etc/shadow x ] SCO Unix 3.2.x /tcb/auth/files/<first letter * ] of username>/<username> ] SunOS 4.1+c2 /etc/security/passwd.adjunct ##username ] SunOS 5.0 /etc/shadow ] <optional NIS+ private secure maps/tables/whatever> ] System V Release 3.2 /etc/shadow x ] System V Release 4.0 /etc/shadow x ] System V Release 4.2 /etc/security/* database ] Ultrix 4 /etc/auth[.dir|.pag] * ] UNICOS /etc/udb * ]
Format of the shadowed password file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The format of the shadowed password file differs under various Unix implementations. Many implementations follow the original System V Release 3.2, while others opt for a more complicated yet more efficient database structure.
An entry in the System V Release 3.2 shadow file consists of five colon delimited fields:
Username Encrypted password (And optional password aging data) Last time password was changed, in number of days since 1970/1/1 Minimum number of days a password must be used before changing Maximum number of days a password can be used before changing
System V Release 4 introduced three more fields to the shadow file:
The number of days before the password expires that the user will be warned The number of days of inactivity allowed for the user The absolute expiration date for the account
] ] Sample entry from /etc/shadow under System V release 4.0 ] ] will:5fg63fhD3d:8960:1:60:10:90:10000 ]
Broken down, this shadow file line shows:
Username: will Encrypted password: 5fg63fhD3d Last change: 8960 (Password was last changed on Minimum days: 1 (Password must be kept for 1 day without changing) Maximum days: 60 (Password must be changed every 60 days) Warning days: 10 (User receives 10 days warning of required password change) Inactivity days: 90 (Account disabled if not used for 90 days) Expiration date: 10000 (Account expires on
The SunOS adjunct system ~~~~~~~~~~~~~~~~~~~~~~~~ Sun Microsystems introduced changes in their version of the shadow file in SunOS 4.1.
An entry in the SunOS passwd.adjunt file consists of seven colon delimited fields:
Username Encrypted password (And optional password aging data)
] ] Sample entry from /etc/security/passwd.adjunt under SunOS 4.1 ] ] will:5fg63fhD3d::::ad,p0,p1:dr,dw,dc,da,lo ]
Broken down, this passwd.adjunt line shows:
Username: will Encrypted password: 5fg63fhD3d Minimum login clearance: Maximum login clearance: Default login clearance: Always audit: ad,p0,p1 Never audit: dr,dw,dc,da,lo
NIS ~~~ NIS (Network Information System) in the current name for what was once known as yp (Yellow Pages). The purpose for NIS is to allow many machines on a network to share configuration information, including password data. NIS is not designed to promote system security. If your system uses NIS you will have a very short /etc/passwd file that includes a line that looks like this:
+::0:0:::
To view the real password file use this command "ypcat passwd"
Password cracking ~~~~~~~~~~~~~~~~~ Contrary to popular belief, Unix passwords cannot be decrypted. Unix passwords are encrypted with a one way function. The login program encrypts the text you enter at the "password:" prompt and compares that encrypted string against the encrypted form of your password.
Password cracking software uses wordlists. The password cracking program encrypts each word in the wordlist and compares that encrypted string against the encrypted form of the password. If the encrypted forms match, the password is known.
To crack passwords, you will need a password cracking program and a wordlist. The best cracking program for Unix passwords is currently Crack by Alec Muffett. For PC-DOS, the best package to use is currently CrackerJack. Larger wordlists will allow you to crack more accounts.