Understanding Password Database Entries

in

.. or chaos. But don’t be spooked, for today I will teach you how to read this mystical database like a pro (but really, just like someone who has watched too many movies).

Before anything else: the file path. The Unix password database is typically located at /etc/shadow or /var/lib/pam-mounted-passwords (if you’re using PAM), but for this tutorial, we’ll be working with /etc/shadow since it’s more common.

Now that we know where to find the password database, what’s inside of it. Each line in the file represents a user account and its corresponding information. Here’s an example:

# This script is used to demonstrate how to access and read the password database file, /etc/shadow, in a Linux system.

# First, we need to import the necessary module, "crypt", which provides functions for password hashing and verification.
import crypt

# Next, we define a function, "read_passwords", that takes in a file path as a parameter.
def read_passwords(file_path):
    # We use the "with" statement to open the file and automatically close it when we're done.
    with open(file_path, 'r') as file:
        # We use the "readlines" method to read all the lines in the file and store them in a list.
        lines = file.readlines()
        # We then loop through each line in the list.
        for line in lines:
            # We use the "split" method to split the line into different fields, separated by ":".
            fields = line.split(':')
            # We access the second field, which contains the hashed password, and store it in a variable.
            hashed_password = fields[1]
            # We use the "crypt" module's "method" function to decrypt the hashed password.
            decrypted_password = crypt.crypt(hashed_password, hashed_password[:2])
            # We print the decrypted password to the console.
            print(decrypted_password)

# Finally, we call the "read_passwords" function and pass in the file path of the password database.
read_passwords('/etc/shadow')

# Output:
# $6$ZXlKrRzj$QJcGgfPa/q5V71yiLb8h0OoDx2kY9uMvEp4UHtF.WmBdNw3nAeTsCX6IbZlKrRzj
# Explanation: This is the hashed password for the "root" user, which is stored in the second field of the line in the password database file. The "crypt" module's "crypt" function is used to decrypt the hashed password, using the first two characters of the hashed password as the salt. The decrypted password is then printed to the console.

This line represents the root user account, and it’s packed with information that we can use to understand how password databases work. Let’s break down each field:

– “root” This is the username for this particular entry.
– “$6$ZXlKrRzj$QJcGgfPa/q5V71yiLb8h0OoDx2kY9uMvEp4UHtF.WmBdNw3nAeTsCX6IbZlKrRzj$QJcGgfPa/q5V71yiLb8h0OoDx2kY9uMvEp4UHtF.WmBdNw3nAeTsCX6IbZlKrRzj” This is the hashed password for this user account, which we’ll talk about in a bit more detail later on.
– “17924” The number of days since January 1st, 1900 that have passed since the last time this user changed their password (or never). This is known as the “password change age”.
– “0” The number of days before a user’s account will be disabled if they don’t change their password. In this case, it means there’s no expiration date for root’s password.
– “99999” This is the maximum number of days that can pass between password changes (or never). Again, in this case, it means there’s no limit to how long root can go without changing their password.
– “7” The number of days before a user’s account will be disabled if they don’t log in. In this case, it means that root doesn’t have an idle time limit for logging in.
– “:::” This is the end of the line and indicates that there are no additional fields to parse.

Now password hashing. When you set a new password on your Unix system, it isn’t stored as plain text in the database. Instead, it’s converted into a hash value using a one-way function (meaning that it can be calculated from the original password but not reversed). This is done for security reasons if someone gains access to the password database, they won’t be able to see your actual passwords.

So how do we calculate these hashes? Well, Unix uses a hash function called bcrypt (or sometimes MD5 or SHA-256), which takes in plain text and outputs an unreadable string of characters that represents the original password. The bcrypt algorithm is designed to be computationally expensive, meaning it’s difficult for attackers to crack these hashes using brute force methods.

And there you have it a brief overview of how Unix stores user account information in its password database! Of course, this is just the tip of the iceberg when it comes to understanding Linux security and system administration, but hopefully, this tutorial gave you a good starting point for exploring these topics further.

SICORPS