Pages

Friday, 11 April 2014

Understanding linux password

Ubuntu / linux stores password in /etc/shadow file not in encrypted form but by hashing it.
Passwords on a linux system are not encrypted, they are hashed which is a huge difference.
It is not possible to reverse a hash function by definition.
Run following commands to get familiar with password security in Ubunutu
 cd /etc
sudo cat passwd
this command will print content of passwd file
bhushan:  x  :   1000 : 1000 : bhushan,,,:/home/bhushan:/bin/bash
1                 :2:        3:        4:                  5                      : 6:                        7:
  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.
This is user information
I want to know password of Bhushan
lets try this command
bhushan@bhushan-desktop:/etc$ cat shadow|grep “bhushan”
cat: shadow: Permission denied
what happened….i can’t run this command without root permission.
bhushan@bhushan-desktop:/etc$ sudo cat shadow|grep “bhushan”
bhushan:
$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91:15632:0:99999:7:::

/etc/shadow file fields

  1. User name : It is your login name
  2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
  3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
  4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled
  8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The password hash today comes in three parts, separated by dollar signs ($):
$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91
Here:  $ ID $ SALT $ HASH
  • Id. This identifies the encryption hash method used. A value of 1 denotes MD52 or 2a is Blowfish3 is NT Hash5 is SHA-2566 is SHA-512.
  • Salt. This is used by the encryption algorithms, and could be up to 16 characters.
  • Hash. The actual “password” (or hash) is last. MD5 uses 22 characters, SHA-256 uses 43, and SHA-512 uses 86.
Generating sha-512 hash of a passwod using mkpasswd command
Here my salt is M0jBWc8n
Try this command
mkpasswd -m sha-512 “iwontdisplay”  M0jBWc8n
Output is:
bhushan@bhushan-desktop:~$ mkpasswd -m sha-512 “iwontdisplay” M0jBWc8n
$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91
and this is my shadow file password
$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91
is it same  ??? yes
so my password is iwontdisplay


How to generate password:

You can use following commands for the same:
Method 1
openssl passwd -1 -salt xyz  yourpass
Method 2
makepasswd --clearfrom=- --crypt-md5 <<< YourPass
Method 3
As @tink suggested, we can update password using chpasswd using :
echo "username:password" | chpasswd 
Or you can use encrypted password with chpasswd first generate it using :
perl -e 'print crypt("YourPasswd", "salt"),"\n"'
then later you can use generated password to update
echo "username:encryptedPassWd"  | chpasswd -e
this encrypted password we can use to create new user with password
Ex.
useradd -p 'encryptedPassWd'  username
Update
Method 4
echo -e "md5crypt\npassword" | grub | grep -o "\$1.*"

Reference:
http://hacktechway.wordpress.com/2013/02/24/getting-ubuntu-password-from-etcshadow/
http://unix.stackexchange.com/questions/81240/manually-generate-password-for-etc-shadow

No comments:

Post a Comment