Understanding the /etc/passwd file on UNIX/Linux.

Posted: April 27, 2017. At: 10:12 PM. This was 6 months ago. Post ID: 3627

The /etc/passwd file on UNIX/Linux is where the user accounts for Linux are stored. This keeps your system safe as the passwords are stored as hashes in the /etc/shadow file, which is separate from the passwd file and is only accessible by the superuser. This keeps a system very safe. Red Hat Enterprise Linux uses the same system, but the salt is much longer. I guess this is better than Windows that keeps passwords in the SAM file.

The /etc/passwd file stores information in this format.

Username : Password : UID : GID : Full Name : Home Directory : Default Shell

The Username field contains the username entered by the user at login. The Password field contains the password that is required to be entered by the user to gain access to the system. The password is stored in a encrypted hash format, encrypted by Blowfish or MD5 encryption. When the password is entered by the user, it is hashed and compared to the password stored on the system and if it matches, then the user is allowed to login.

The UID field contains the unique user id of the user and the GID is the group id that the user is a member of. The Full Name field contains the full name of the user and the Default Shell that is assigned to the user. This shell must be listed in /etc/shells for this to work correctly.

homer:x:1001:1001::/home/homer:/bin/bash

The password for each user is very important, it is best to use the highest level of password encryption possible, Blowfish encryption is stronger than the MD5 encryption usually used by applications such as MySQL to encrypt passwords. A program such as John the Ripper may be used to decrypt a password file that uses encrypted hashes and you may run this on your own system to analyse your passwords to check if your passwords are strong enough. Using upper & lower case letters and numbers is a good way to make your password harder to crack. And making sure that no-one can get hold of your /etc/passwd file and retrieve your passwords. Changing the shell your user uses on login may be achieved by editing the /etc/passwd file and then logging out and then back in again.

This is what the /etc/shadow entry for homer looks like on Fedora 25.

homer:$6$g8.o/A785LyAI1wr$v8zrtjitJvcvlz87sL6iJav4vgJPfUI1pcaR0clKMnjXiDAeoSfYGe24yZpweYCpfU/4JQlK9Y6mllRobe.gA0:17282:0:99999:7:::

This has the username and the encrypted password string. This one starts with $6, this means that it is using SHA 512 encryption. Type this command to get more information about the encryption scheme, and how to determine which is used.

man 3 crypt

There is a good page here that has a lot of information about the format of the /etc/passwd and /etc/shadow files. A very good read.

And here is a nice guide for cracking Windows 10 password hashes.

http://securitronlinux.com/debian-testing/cracking-windows-10-passwords-with-john-the-ripper-on-kali-linux-2016/.

No comments have been made. Use this form to start the conversation :)

Leave a Reply