Talk:Shadow password
From Wikipedia, the free encyclopedia
On modern linux there is a difference: the passwd file is world-readable and contains the usernames, groups, shells, homes, etc. But the hashes are stored in the shadow file, which is only readable by root. -rw-r--r-- 1 root root 1838 2007-07-26 07:50 /etc/passwd -rw------- 1 root root 2072 2007-08-12 16:09 /etc/shadow
Should we s/encrypted/hashed ? MD5 or SHA1 aren't encryption.
--Stereo 10:21, 2005 May 2 (UTC)
The encryption used by UNIX systems isn't an encryption in the sense that there is an available decryption. It's a one-way hash which just so happens to use a modified DES encryption to do the work. This isn't relevant to shadowed passwords alone as all UNIX-compatible systems use the same scheme. So ... perhaps a discussion of UNIX-compatible password encryptions belongs somewhere else?
Anyone interested in a history of Linux password shadowing? Would that be a nice addition?
Tall Girl 18:51, 10 February 2006 (UTC)
Yes, that would be very nice. --Stereo 12:13, 14 February 2006 (UTC)
Doesn't this mean that anyone can obtain a full list of user accounts under Unix, plus any other information available, like default group, full name, password expiration etc? This data isn't half as sensitive as the password hashes, of course, but it still seems uncomfortably useful to an attacker. Is this data shadowed as well or world-readable? The latter seems to violate the principle of least privilege. 82.95.254.249 17:36, 23 April 2007 (UTC)
- Slightly off-topic, but the /etc/passwd file is not always used. This can be replaced (via PAM, for example) by an LDAP or (My)SQL server. This then alleviates the task of authentication from /etc/passwd to a more fine-tunable database with per-user access. Of course the problem then is that every user still have a homedirectory which (usually) reflects their username. But this too can be prevented by auto-mounting user homedirs on login and auto-dismounting them after logout. NoobX 09:16, 11 September 2007 (UTC)
