Passwd

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
 
(3 intermediate revisions by one user not shown)
Line 22: Line 22:
 
The original ''crypt'' format is not very secure. Modern systems often use a different format, which begins with a dollar sign:
 
The original ''crypt'' format is not very secure. Modern systems often use a different format, which begins with a dollar sign:
 
  $<algorithm-id>$<salt>$<hashed password>
 
  $<algorithm-id>$<salt>$<hashed password>
 +
 +
The algorithm identifiers are not necessarily standardized, but the following are typical on GNU/Linux systems:
 +
 +
{| class="wikitable"
 +
! Algorithm ID !! Algorithm based on
 +
|-
 +
|<code>1</code>  || [[MD5]]
 +
|-
 +
|<code>2a</code> || [[Blowfish]]
 +
|-
 +
|<code>2y</code> || [[Blowfish]]
 +
|-
 +
|<code>5</code>  || [[SHA-256]]
 +
|-
 +
|<code>6</code>  || [[SHA-512]]
 +
|}
  
 
== GECOS ==
 
== GECOS ==
Line 29: Line 45:
  
 
== Software ==
 
== Software ==
* Many standard utility programs are related to reading and writing these files, including <code>[https://linux.die.net/man/1/passwd passwd]</code>, <code>[https://linux.die.net/man/8/usermod usermod]</code>, <code>[https://linux.die.net/man/8/vipw vipw]</code>, and <code>[https://linux.die.net/man/1/getent getent]</code>.
+
* Many standard utility programs are related to reading and writing these files, including <code>{{Manpage|1|passwd|passwd}}</code>, <code>{{Manpage|8|usermod|usermod}}</code>, <code>{{Manpage|8|vipw|vipw}}</code>, and <code>{{Manpage|1|getent|getent}}</code>.
* Programmatically, to look up user information, the <code>[https://linux.die.net/man/3/getpwent getpwent]</code> family of C library functions may be used. (But password-related functions should probably be done via PAM instead, i.e. with <code>[https://linux.die.net/man/3/pam_authenticate pam_authenticate]</code> and related functions.)
+
* Programmatically, to look up user information, the <code>{{Manpage|3|getpwent|getpwent}}</code> family of C library functions may be used. (But password-related functions should probably be done via [[PAM configuration file|PAM]] instead, i.e. with <code>{{Manpage|3|pam_authenticate|pam_authenticate}}</code> and related functions.)
  
 
== Links ==
 
== Links ==
Line 36: Line 52:
 
** [[Wikipedia: Passwd#Password file]]
 
** [[Wikipedia: Passwd#Password file]]
 
** [[Wikipedia: Passwd#Shadow file]]
 
** [[Wikipedia: Passwd#Shadow file]]
 +
* [[Wikipedia: Crypt (C)]]
 
* [[Wikipedia: Gecos field]]
 
* [[Wikipedia: Gecos field]]
 
* [https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/passwords_etc_passwd_file.htm IBM Knowledge Center: Using the /etc/passwd file]
 
* [https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/passwords_etc_passwd_file.htm IBM Knowledge Center: Using the /etc/passwd file]
 
* [http://www.linfo.org/etc_passwd.html LINFO: The /etc/passwd File]
 
* [http://www.linfo.org/etc_passwd.html LINFO: The /etc/passwd File]
* [https://linux.die.net/man/5/passwd passwd(5) - Linux man page]
+
* {{Manpage|5|passwd}}
* [https://linux.die.net/man/5/shadow shadow(5) - Linux man page]
+
* {{Manpage|5|shadow}}
* [https://linux.die.net/man/5/group group(5) - Linux man page]
+
* {{Manpage|5|group}}
* [https://linux.die.net/man/3/crypt crypt(3) - Linux man page]
+
* {{Manpage|3|crypt}}
  
 
[[Category:File formats with a distinctive filename]]
 
[[Category:File formats with a distinctive filename]]
 
{{DISPLAYTITLE:passwd}}
 
{{DISPLAYTITLE:passwd}}

Latest revision as of 14:00, 14 May 2017

File Format
Name passwd
Ontology

This article describes the format of the traditional Unix /etc/passwd file, and related files, including /etc/shadow, /etc/group, and /etc/gshadow. These files contain information about user accounts. They use text-based formats with colon-separated fields, with one line per user or group.

Note that on modern systems, this is not the only way to manage users. Other methods, such as LDAP or Winbind, may be used as well. The methods to use are usually configured in the /etc/nsswitch.conf file.

The name of the passwd file has become a misnomer, as (hashed) passwords are now rarely stored in it. If hashed passwords are stored locally, they will be in the shadow file instead.

Contents

[edit] Password field

[edit] crypt

The password field in the passwd or shadow file traditionally uses an algorithm and format known simply as crypt. The algorithm uses a DES block cipher, which limits passwords to 8 7-bit characters.

A crypted password is stored as 13 ASCII characters, encoded with a form of Base64. The first two characters encode a 12-bit salt, and the rest encode the hashed password.

One way to generate crypted passwords is with OpenSSL. For example:

$ openssl passwd -crypt -salt AB pass1234

[edit] Other password formats

The original crypt format is not very secure. Modern systems often use a different format, which begins with a dollar sign:

$<algorithm-id>$<salt>$<hashed password>

The algorithm identifiers are not necessarily standardized, but the following are typical on GNU/Linux systems:

Algorithm ID Algorithm based on
1 MD5
2a Blowfish
2y Blowfish
5 SHA-256
6 SHA-512

[edit] GECOS

The so-called GECOS field in the passwd file contains several comma-separated subfields. The subfields include the user's full name, and other information such as phone numbers.

The name GECOS is a nonsensical accident of history. It originally stood for something like General Electric Comprehensive Operating Supervisor (there is conflicting information about whether the S stood for Supervisor, or System).

[edit] Software

  • Many standard utility programs are related to reading and writing these files, including passwd, usermod, vipw, and getent.
  • Programmatically, to look up user information, the getpwent family of C library functions may be used. (But password-related functions should probably be done via PAM instead, i.e. with pam_authenticate and related functions.)

[edit] Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox