Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 3.1 UsernamesChapter 3
Users and Passwords
Next: 3.3 Entering Your Password
 

3.2 Passwords

Once you've entered your username, UNIX typically prompts you to enter your password. This section describes how UNIX stores and handles passwords on most systems and how you can select a good password.

3.2.1 The /etc/passwd File

UNIX uses the /etc/passwd file to keep track of every user on the system. The /etc/passwd file contains the username, real name, identification information, and basic account information for each user. Each line in the file contains a database record; the record fields are separated by a colon (:).

You can use the cat command to display your system's /etc/passwd file. Here are a few sample lines from a typical file:

root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh 
daemon:*:1:1::/tmp: 
uucp:OORoMN9FyZfNE:4:4::/var/spool/uucppublic:/usr/lib/uucp/uucico 
rachel:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:/bin/ksh 
arlin:f8fk3j1OIf34.:182:100:Arlin Steinberg:/u/arlin:/bin/csh

The first three accounts, root, daemon, and uucp, are system accounts, while rachel and arlin are accounts for individual users.

The individual fields of the /etc/passwd file have fairly straightforward meanings. Table 3-1 explains a sample line from the file shown above

Table 3.1: Example /etc/passwd Fields

Field

Contents

rachel

The username

eH5/.mj7NB3dx

The user's "encrypted password"

181

The user's user identification number (UID)

100

The user's group identification number (GID)

Rachel Cohen

The user's full name (also known as the GECOS or GCOS field)[3]

/u/rachel

The user's home directory

/bin/ksh

The user's shell[4]

[3] When UNIX was first written, it ran on a small minicomputer. Many users at Bell Labs used their UNIX accounts to create batch jobs to be run via RJE (Remote Job Entry) on the bigger GECOS computer in the Labs. The user identification information for the RJE was kept in the /etc/passwd file as part of the standard user identification. GECOS stood for General Electric Computer Operating System; GE was one of several major companies that made computers around that time.

[4] An empty field for the shell name does not mean that the user has no shell; instead, it means that the Bourne shell (/bin/sh) should be used as a default.

.

Passwords are normally represented by a special encrypted format that is described in "The UNIX Encrypted Password System" in Chapter 8, Defending Your Accounts; the password itself is not really stored in the file. Encrypted passwords may also be stored in separate shadow password files, which are also described in Chapter 8. The meanings of the UID and GID fields are described in Chapter 4, Users, Groups, and the Superuser.

3.2.2 The /etc/passwd File and Network Databases

These days, many organizations have moved away from large time-sharing computers and invested in large client/server networks containing many servers and dozens or hundreds of workstations. These systems are usually set up so that any user can make use of any workstation in a group or in the entire organization. When these systems are in use, every user effectively has an account on every workstation.

Unfortunately, on these large, distributed systems, you cannot ensure that every computer has the same /etc/passwd file. For this reason, there are now several different commercial systems available that make the information stored in the /etc/passwd file available over a network.

Four such systems are:

All of these systems take the information that is usually stored in each workstation's /etc/passwd file and store it in one or more network server computers. If you are using one of these systems and wish to view the contents of the password database, you cannot simply cat the /etc/passwd file. Instead, you must use a command that is specific to your system.

Sun's NIS service supplements the information stored in workstations' own files. If you are using NIS and you wish to get a list of every user account, you would use the following command:

  % cat /etc/passwd;ypcat passwd

Sun's NIS+ service can be configured to supplement or substitute its user account entries for those entries in the /etc/passwd file, depending on the contents of the /etc/nsswitch.conf file. If you are using a system that runs NIS+, you will want to use the niscat command and specify your NIS+ domain. For example:

% niscat -o passwd.bigco

On machines running NetInfo, the local /etc/passwd file is ignored and the network version is used instead. Therefore, if you are using NetInfo and wish to see the user accounts, you only need to type:

% nidump passwd /

Computers that are using DCE use an encrypted network database system as an alternative to encrypted passwords and /etc/passwd files. However, in order to maintain compatibility, some of them have programs which run on a regular basis that create a local /etc/passwd file. You should check your manuals for information about your specific system.

These network database systems are described in greater detail in Chapter 19, RPC, NIS, NIS+, and Kerberos.

At many sites, the administrators prefer not to use network database management systems for fear that the system itself may somehow become compromised. This fear may result from the fact that configurations are often complex, and sometimes the protocols are not particularly resistant to attack. In these environments, the administrator simply keeps one central file of user information and then copies it to remote machines on a periodic basis (for example, using rdist). The drawback to this approach is that it often requires the administrator to intervene to change a user password or shell entry. In general, you should learn to master the configuration of the system supplied by your vendor and use it. You can then put other safeguards in place, such as those mentioned in Chapter 21, Firewalls, and in Chapter 22, Wrappers and Proxies.

NOTE: Because there are so many different ways to access the information that has traditionally been stored in the /etc/passwd file, throughout this book we will simply use the phrase "password file" or "/etc/passwd" as a shorthand for the multitude of different systems. In the programming examples, we will use a special command called " cat-passwd" that prints the contents of the password database on standard output. On a traditional UNIX system without shadow passwords, the cat-passwd command could simply be the command cat /etc/passwd. On a machine running NIS, it could be the command ypcat passwd. You could write such a program for yourself that would to make repeated calls to the getpwent() library call and print the results.

3.2.3 Authentication

After you tell UNIX who you are, you must prove your identity. This process is called authentication. Classically, there are three different ways that you can authenticate yourself to a computer system, and you use one or more of them each time:

  1. You can tell the computer something that you know (for example, a password).

  2. You can "show" the computer something you have (for example, a card key).

  3. You can let the computer measure something about you (for example, your fingerprint).

None of these systems is foolproof. For example, by eavesdropping on your terminal line, somebody can learn your password. By attacking you at gunpoint, somebody can steal your card key. And if your attacker has a knife, you might even lose your finger! In general, the more trustworthy the form of identification, the more troublesome the method is to use, and the more aggressive an attacker must be to compromise it.

3.2.4 Passwords Are a Shared Secret

Passwords are the simplest form of authentication: they are a secret that you share with the computer. When you log in, you type your password to prove to the computer that you are who you claim to be. The computer ensures that the password you type matches the account that you have specified. If they match, you are allowed to proceed.

UNIX doesn't display your password as you type it. This gives you extra protection if you're using a printing terminal or if somebody is watching over your shoulder as you type.[5]

[5] This is sometimes referred to as shoulder surfing.

Passwords are normally UNIX's first line of defense against outsiders who want to break into your system. Although you could break into a system or steal information through the network without first logging in, many break-ins result because of poorly chosen or poorly protected passwords.

3.2.5 Why Use Passwords?

Most desktop personal computers do not use passwords (although there are several third-party programs that do provide varying degrees of protection, and passwords are used by both the Windows and Macintosh network filesystems). The fact that the PC has no passwords makes the computer easier to use, both by the machine's primary user and by anybody else who happens to be in the area. People with PCs rely on physical security - doors, walls, and locks - to protect the information stored on their disks from vandals and computer criminals.

Likewise, many of the research groups that originally developed the UNIX operating system did not have passwords for individual users - often for the same reason that they shied away from locks on desks and office doors. In these environments, trust, respect, and social convention were very powerful deterrents to information theft and destruction.

But when a computer is connected to a modem that can be accessed from almost any place in the world that has a telephone, or when it is connected to a network that is used by people outside the immediate group, passwords on computer accounts become just as necessary as locks on the doors of a townhouse: without them, an intruder can come right in, unhindered, and wreak havoc. And indeed, in today's electronic world, there are numerous people who try the "front door" of every computer they can find. If the door is unlocked, sometimes the vandals will enter and do damage.

Passwords are especially important on computers that are shared by several people, or on computers that are connected to networks where various computers have trust relationships with each other (we'll explain what this means in a later chapter). In such circumstances, a single easily compromised account can endanger the security of the entire installation or network.

3.2.6 Conventional UNIX Passwords

Today, most UNIX systems use simple passwords to authenticate users: the user knows a password, and types the password into the computer to log in.

Conventional passwords have been part of UNIX since its early years. The advantage of this system is that it runs without any special equipment (such as card readers or fingerprint scanners).

The disadvantage of conventional passwords is that they are easily foiled - especially if you log into your computer over a network. In recent years, conventional passwords have not provided dependable security in a networked environment: there are simply too many opportunities for a sophisticated attacker to capture a password and then use it at a later time.[6] Today, even unsophisticated attackers can launch these attacks, thanks to a variety of sophisticated tools available on the net. The only way to safely use a UNIX computer remotely over a network such as the Internet is to use either (or both) one-time passwords or data encryption (see Section 3.7, "One-Time Passwords later in this chapter and in Chapter 8, and Chapter 6, Cryptography).

[6] Passwords are still quite effective for most stand-alone systems with hard-wired terminals.

Unfortunately, we live in an imperfect world, and most UNIX systems continue to depend on reusable passwords for user authentication. As such, passwords continue to be one of the most widely exploited methods of compromising UNIX systems on networks.


Previous: 3.1 UsernamesPractical UNIX & Internet SecurityNext: 3.3 Entering Your Password
3.1 UsernamesBook Index3.3 Entering Your Password