The username and password are two mechanisms needed to access a Linux system, and these two mechanisms are stored separately in two different files to ensure the security of the system.
Traditionally, Linux and other Unix-like systems stores encrypted passwords in a world-readable format in the /etc/passwd file. As this file holds the information about local users in the system and information on it can easily be displayed with the ls command, it poses a high risk to the security of the system.
Since the discovery of the risk associated with saving the encrypted password in the /etc/passwd file, the encrypted passwords or the password hashes were moved to the /etc/shadow file.
Firstly, let’s try to understand what hashes mean before going in details on password policy. Hashing is a method of taking a fixed length encoded string as input and creating a fixed range of password using cryptic mechanism.
This article will buttress in the hashing algorithm and how to set a password aging policy on a Linux system.
SECURITY RISK ASSOCIATED WITH SAVING PASSWORDS IN WORLD-READABLE FORMAT
We talked about the security threat involved when passwords are stored in the /etc/passwd files. Below I will be given you a practical illustration on why passwords are no longer safe in the /etc/passwd file and the reason why it poses a significant threat to the security of the system.
Now let us try to see the permissions associated with the /etc/passwd file and evaluate to understand in different perspectives.
Please go through the commands above. You see from the first command the files have read permission for all three fields. In the second command, we tried changing the permission so that only the root can read the file. When we tried switching to the specified user, it throws an error message.
Even if you tried switching to the user, you wouldn’t get the user’s username, shell, home directory, etc. For so reason, the file needs to be kept in a world-readable format, and as such, user’s password, can’t be kept in such file due to security reasons. Hence there is a need to keep the password in a more secure file that is only accessible by the root user. This is where the /etc/shadow comes in
UNDERSTANDING SHADOW-UTILS PACKAGE IN LINUX SYSTEMS
The shadow-utils package is responsible for the separation of passwords in the /etc/passwd files. It is default installed in most Linux distributions such as Red Hat based and Debian based machines. The /etc/passwd file is only accessible only by the root user. In the /etc/shadow, the permission is set as read by the root user only.
There are three pieces of information stored in the latest password hash. Please focus on the second field after the root user
The $ sigh separates each piece of information.
6: This is the hashing algorithm used. 1 indicates MD5 hash, and 6 represents a SHA-512 hash. Debian machines use SHA-512, and Red Hat based machines support the SHA256 (algorithm 5) and SHA-512 (algorithm 6)
P6PdDGAI: This is the salt used to encrypt the algorithm. It is usually chosen at random. The salt and the unencrypted password are encrypted together to create an encrypted password hash. It helps to strengthen the way Linux handles user’s password.
KiiiUTl/: The encrypted hash
When the user tries logging in to the system, the system looks up the password in the /etc/password file, it combines the salt and the unencrypted user’s input and then uses the hashing algorithm specified in the system to create an encrypted password for the user. If the hashing matches the encrypted password, the user typed in a correct password, if it doesn’t, the user typed in a wrong password. This is a way of determining if the user typed in the incorrect password without making the files world-readable.
HASHING ALGORITHMS
The following are the various hashing algorithm available
MD5 Hashing algorithm ($1)
Blowfish Hashing Algorithm ($2)
Eksblowfish Hashing Algorithm ($2a)
SHA-256 Hashing Algorithm ($5)
SHA-512 Hashing Algorithm($6)
HOW TO CHANGE DEFAULT HASHING ALGORITHM IN YOUR LINUX SYSTEM
No hashing algorithm is specific to a system, but different Linux distros choose which is best for them and use it as a default hashing algorithm. The root user can change any default hashing algorithm.
Please note that while choosing to a different hashing algorithm, the effect in the change won’t affect existing users unless you enforce a password change in their next login. This will be discussed in the next topic.
To change the default hashing algorithm used for password hashes, you use the command authconfig –passalgo with one of the hashing algorithm (md5, sha256, sha512), as appropriate.
STRUCTURE OF /etc/shadow FILE
The /etc/shadow file follows nine colon-separated fields. These fields have their different function used in managing user’s account in the system.
Each of these fields will be explained before we moved to how it used in setting password aging policy
Name: This is the login name of the user. It must be a valid account name on the system
Password: This field holds the encrypted password of the user based on the system hashing algorithm. When the exclamation mark is specified in the password field, it means the account is locked
Last changed: it represents the last time the password was modified. It represents the number of days since January 1st, 1970
Minimum age: It represents the minimum number of days before a password will be changed. Where 0 means no days required.
Maximum age: It represents the maximum number of days before a password will be changed
Warning: The warning period that signals to the user that the password is about to expire. It is represented in days. Where 0 means no warning period
Inactive: It represents the number of days an account is to remain active after the password has expired. At this point, the user is allowed to login and change the password. If the number of days specified runs out, the account will be locked and becomes inactive.
Please note that this field doesn’t mean the number of days an account tends to be inactive but rather the number of days it will be active before it becomes inactive. This is a common mistake made by Linux newbies
Expire: This specifies the day the account will expire. it represents the number of days since January 1st, 1970
Blank: It is reserved for future use
Now we can go into password aging proper. Please refer to these meanings while setting your password aging policy
HOW TO SET PASSWORD AGING POLICY IN LINUX
Setting password aging policy is very important in managing users account. Imagine working in an organization where you have contract staffs who are expected to leave a certain number of days after their contract. You can set the expiring day of the staff’s account. It is also vital in maintaining the security system of the company, especially when the security system has been bridged. You can force all staff to create a new password in their next login.
To set the password aging policy, you need the chage command and the following parameters as options
Minimum days specified as -m
Maximum days specified as -M
Warning days specified as -W
Inactive days specified as –I
Please take note; only the minimum days is specified in a lower case. All other options are in upper case.
The above command set minimum days to 0, which means we don’t want to have any minimum number of days when the password will be changed. The –M option sets the password to be changed in 30 days. When the 30 days runs out, the account moves to the inactive phase. The –W option sets the warning days to be 7. This gives a warning message 7 days before the password expires. The –I option sets 5 days to be the days the user is allowed to change the password. When the 5 days run out, the account is locked. At this point, only the root user is allowed to unlock the account
The chage command is used to change the number of days between passwords and the date of the last password change. The chage command can also be used as follows
chage –d 0 username This will force the users to change their password in the next login
From the command above, the root user forced the user to create a new password before login
chage –l username : This will list the username current settings as regards to its password policy
You remember setting the password-aging policy in the previous example and the next example after, the root enforced the user to create a new password before login in the system. Meanwhile, here is the information about the user’s password policy. You can see that the first three variables show that the password must be changed and the user’s current password still expires in 30 days and will be warned 7 days before it expires
chage –E YYYY- MM-DD username This will expire the account in the specified date
You can use the date command to specify dates in the future, as seen above. So in this command, we specify the account to expire on the 14th. So you can see that the “Henry’s” account expires on the 14th as against 30th in the previous example
HOW TO RESTRICT ACCESS TO USERS USING usermod COMMAND
Users can be restricted from using an account by either setting the password aging policy with chage command or locking the account with usermod command. it is always necessary to restrict access to users on the system, especially when you running a company, and the user is not actively working in the company. This is important when it comes to protecting the privacy of your company and preventing unauthorized access to the company’s files.
The usermod command with the –L option will lock the user’s account. With the –U option will unlock the account
From the above command, a regular user gained the root privilege by running the sudo command to lock another user. So, when tried switching back to the user, the system says “authentication failure.” Running the usermod –U username unlocked the user, and the account became active again.
Another way to prevent a user from having access to the system is to provide a non-login shell. Sometimes the user needs a password to authenticate to the system but doesn’t need an interactive shell on the system. This way, the user’s account can be set to /sbin/nologin shell**.** With this, the system will close the connection whenever the user tries having access to the system.
The command you see gives a user no interactive shell with the system. You can as well give the user an interactive shell by running usermod –s /bin/bash username.
Please, note that you can switch to any shell of your choice. To know the different shells supported by your Linux system, run cat /etc/shells on the command line**.** This will view all available shells
CONCLUSION
It’s pretty easy, uh! You now understand how to manage user’s password, the various algorithm used in hashing a password, security threats when passwords are not secured as well as how to restrict users account.
Please, note that most of the files and commands used here are sensitive. Improper usage while logged in as root might prevent your system from booting up. It is advised to log in as a regular user during self-training.
As a beginner, try to understand and master your commands in every section of this article because every article you see depends on your knowledge on the previous article
Learning Linux is easy when you dedicate your time in understanding your commands. Just like other operating system, issues arise every day, and knowledge gets deepen in other to solve those problems. I know many at times you wonder how you will be able to grab every command, Yes! It happened to me, but the truth is, you can’t know all your commands, and you can’t have all the knowledge in Linux that’s why you have google. The more you research, the more experience you get