Current Date: Sun, Apr 11, 2021 3:15 AM

How Linux stores and manages user passwords

How Linux stores and manages user passwords

Wondering how Linux effectively manages a multi-user environment? In this article, Make tech easier will explain how Linux stores and manages user passwords and login information.

Explore the / etc / passwd file

When the user enters the username and password, Linux will check the entered password against the entry in some files in the directory. "/ Etc".

Files / etc / passwd It is one of the most important files that store user information.

The closest item in this file corresponds to the user "Carbon". There are many information fields separated by colons.

  • carbon: The name of the user that this item corresponds to.
  • x: Indicates that a password exists for the user. However, the password is stored in the file "/ Etc / shadow". If instead x it shows icon !This indicates that the password does not exist.
  • 1000: User ID of this user.
  • 1000: Group ID of the group containing this user.
  • carbon,,,: Represents a variety of information fields including full name and phone number. Here, no phone number is provided.
  • / home / carbon: The location of the home directory assigned to this user.
  • / bin / bash: The default shell is assigned to this user.

Create another user for the stored phone number. User "Pluto" is added to the system using the adduser command.

How Linux stores and manages user passwords Add a user using the adduser command

Take a look at the file again etc / passwd, Once again, we can see the complete information for the user "Pluto".

Whenever a user is created, the home directory and default shell values ​​will be specified in the file /etc/adduser.conf.

User ID for the user created starting from 1000 and run up 59999.

The "carbon" user can view the items in the file / etc / passwd just by using the cat command.

Only the root user can write to the file. Other users can only read the file. Since this file can be read by everyone, storing passwords here is not ideal. Instead, the password is stored in another file named "/ Etc / shadow".

Explore the / etc / shadow file

Now, let's try to see if the password is stored for the user "Carbon" and "Pluto" in the file "/ Etc / shadow".

Look at file permissions "/ Etc / shadow"We can see that only the root user can read and write to the file. In addition, only the members of the group "Shadow" can read the file. In fact, the group "Shadow" is empty but is required syntactically for this file.

Login as root, we can see the last 10 lines of "/ Etc / shadow". Each item in "/ Etc / passwd" Each has a corresponding entry in this file. The format would look like this:


In this file too, every entry has multiple fields separated by colons:

  • pluto: The name of the user the item corresponds to.
  • $ 6 $ JvWfZ9u. $ YGFIqOJ ....: The hash user password is stored with the information about the hash algorithm used. Additionally, a salt value is used in conjunction with the plaintext password to generate the hash password.
{ plaintext password, salt} -> hashed password

The $ symbol is used to separate 3 fields.

$6  $JvWfZ9u.  $yGFIqOJ....
  • $ 6: The hash algorithm used. Below is a list of potential hashing algorithms. [ul]
  • $ 1: MD5
  • $ 2a: Blowfish
  • $ 2y: Eksblowfish
  • $ 5: SHA-256
  • $ 6: SHA-512
  • $ JvWfZ9u. : Salt value.
  • $ yGFIqOJ ....: The password is hashed.
  • [/ul]

    The resulting hash value is stored as an encrypted password for the user. The salt value is unique for each user. Even if two users have the same plaintext password, using a single salt will produce a unique hash value.

    Here are the remaining fields in this section,

    • 18283: Indicates the number of days since January 1, 1970, the password was last changed
    • 0: This field is used to indicate the number of days after which the password can be changed. The value 0 means the password can be changed at any time.
    • 99999: This field indicates the number of days after which the password must be changed. The value 99999 indicates that the user can retain the password for as long as he wants.
    • 7: If a password is set to expire, these fields indicate the number of days to alert the user to the password expiration.
    • :::: Three more fields are part of this section, though they're empty here. The first number indicates the number of days to wait after the password expires, after which the account will be deactivated. The second number indicates the number of days since January 1, 1970, the account has been deactivated. The third field is reserved for future use. Blank fields indicate that this user's current password has not expired and is not set up to expire soon.

    The last 7 fields pertaining to password validity, are collectively known as holding information about "Password Aging Policy".

    The default values ​​correspond to "Password Aging Policy" specified in the file "/Etc/login.defs". These values ​​can be changed for the user with the change command.

    What about group information?

    User information and passwords are stored in files "/ Etc / passwd" and "/ Etc / shadow". Likewise, group information is stored in the file "/ Etc / group".

    How Linux stores and manages user passwords Group information about the user

    The highlights above are user-specific groups "Carbon" and "Pluto". When a user is created in Linux, that user is immediately assigned to a group with the same name as the username.

    Members of a group can also share the group password for activities related to that group. Value of x indicates that the group's password information will be in the file "/ Etc / gshadow".

    However, access to "/ Etc / gshadow" is restricted to root users.

    The root user can view the entries of "/ Etc / gshadow", similar to "/ Etc / shadow". Look at the group's entry "Carbon", we can see that the second field has the value of !, indicates that a password does not exist for this group.

    When the user wants to login, the hash of the entered password is found using that user's salt value in "/ Etc / shadow". It is then compared with the stored hash. If the values ​​match, the user is granted access.