|
|
| Line 1: |
Line 1: |
| − | ==Unix/Linux Password File==
| + | GOST R 50739-95 says nothing about number of passes and random data. [[User:.FUF|.FUF]] 11:05, 4 July 2008 (UTC) |
| − | Unix and its various clones have traditionally used the /etc/passwd file to store user account information, including passwords. Because the /etc/password file needs to be world-readable in order for utilities such as `ls` and `finger` to work modern Unix operating systems store the encrypted passwords in 'shadow' file named /etc/shadow.
| + | |
| − | | + | |
| − | {| class="wikitable" border="1"
| + | |
| − | |-
| + | |
| − | !Username
| + | |
| − | |The user's username
| + | |
| − | |-
| + | |
| − | !Password
| + | |
| − | |Older Unixes store the password crypt here, more modern ones use an 'x' character to denote that a shadow file is in use.
| + | |
| − | |-
| + | |
| − | !UID
| + | |
| − | |The numeric user ID of the user
| + | |
| − | |-
| + | |
| − | !GID
| + | |
| − | |The primary numeric group ID of the user
| + | |
| − | |-
| + | |
| − | !GECOS Field
| + | |
| − | |This is a text field which may contain information about the user such as name and contact details
| + | |
| − | |-
| + | |
| − | !Home directory
| + | |
| − | |The user's home directory
| + | |
| − | |-
| + | |
| − | !Shell
| + | |
| − | |The user's Unix shell
| + | |
| − | |}
| + | |
| − | <pre>
| + | |
| − | user1:x:600:600:User 1:/home/user1:/bin/bash
| + | |
| − | user2:x:601:601:User 2:/home/user2:/bin/bash
| + | |
| − | admin:x:602:602:Admin Account:/home/admin:/bin/bash
| + | |
| − | apache:x:603:603:Apache HTTP User:/var/www:/bin/bash
| + | |
| − | someguy:x:604:604:Someguy:/home/someguy:/bin/bash
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | The password is stored as an encrypted one-way hash of the original password. When a user attempts to authenticate the password supplied is encrypted using the same algorithm and compared to the stored password crypt.
| + | |
| − | | + | |
| − | ===Unix Crypt===
| + | |
| − | The most commonly used password encryption in Unix for many year was crypt(). The Unix crypt command can be used to generate the Unix crypt value for a given string.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | jim@localhost ~
| + | |
| − | $ crypt hello
| + | |
| − | S84xRArsM.gtk
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | In modern computing Unix crypt is severly limited. Passwords are restricted to 8 character passwords, and any trailing character as ignored. This puts brute force attacks on Unix crypts well within the realms of possibility.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | jim@localhost ~
| + | |
| − | $ crypt xx hellohel
| + | |
| − | xxiHMKqoMTDuc
| + | |
| − | | + | |
| − | jim@localhost ~
| + | |
| − | $ crypt xx hellohello
| + | |
| − | xxiHMKqoMTDuc
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | ===Salts===
| + | |
| − | Unix passwords usually use what is know as a salt to help make pre-computation of password hashes more difficult. A salt is a string which is prepended to the password before it is encrypted and stored along with the password in /etc/passwd. You cannot simply pre-compute crypt() values for a list of dictionary words, you would need to pre-compute the hash for each word along with every possible salt to produce a rainbow table of Unix password hashes. The result is a number of different hashes for any given password.
| + | |
| − | | + | |
| − | If we use the Unix crypt command to encrypt a password and do not specify a salt then a random salt value is chosen.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | jim@localhost ~
| + | |
| − | $ crypt hello
| + | |
| − | YnxINyIeMlKCM
| + | |
| − | | + | |
| − | jim@localhost ~
| + | |
| − | $ crypt hello
| + | |
| − | v3njh4QHNjoWk
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | The first two characters of the resulting hash are the salt and must be used when subsequently comparing a supplied password with the stored crypt.
| + | |
| − | | + | |
| − | <pre>
| + | |
| − | jim@localhost ~
| + | |
| − | $ crypt v3 hello
| + | |
| − | v3njh4QHNjoWk
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Salts can be of any length but is typically 2 characters on Unix systems, which helps to ensure compatibility across systems.
| + | |
| − | | + | |
| − | ===MD5/SHA1===
| + | |
| − | | + | |
| − | NIS
| + | |
