Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   

Shadow Passwords

Shadow : Password shadowing is an enhancement in password security. It creates a file called /etc/shadow from the passwd file in /etc/. In the passwd file all the encrypted passwords are replaced by asterisks. Actual encripted strings are moved into the shadow password file. The trick is that /etc/passwd is world readable, but  /etc/shadow is not. It makes more difficult obtaining the  /etc/shadow file, or doing anything with it.

General information

Packages

  1.  Unix Authentication Tools (also in John F. Haugh II's shadow package) -- includes the shadow program by John F. Haugh, II. A replacement for login and passwd that can enable any system to use shadow password files. Includes support for shadow password files, shadow group files, DBM password files, double length passwords, and password aging. This is perhaps one of the best shadowing programs. It includes aging passwords, restrictions on which port root logs in, logs failed attempts, proactive password check. Allows 16 character passwords. This is definitely a must have!

Other packages:

  1. Shadow in a Box by Micheal Quan. It's a compilation of utilies for managing all your shadow passwords. It includes tools for FTP, POP, sudo, xlock, as well as a crack library.
  2. passwd+: Matt Bishop's passwd+ offers extensive logging of successful and failure logins, as well as significant characters in the password.
  3. anlpasswd: By Argonne National Laboratory. It features these rules out of the box : number and spaces, uppercase, lowercase, all numbers, and leading capital letters.

    shadow

    William Colburn -- old precompiled binaries

Password documentation


The Shadow-HOWTO

How do I enable long passwords

shadow support in linux conf
Foiling the Cracker: A Survey of, and Improvements to, Password Security
OPUS: Preventing Weak Password Choices
UNIX Password Securty - Ten Years Later
Unix Password Security
Password Security: A Case of History

Knowledge Base - What are shadow passwords

Shadow Passwords -- slides from nasa.gov

The Linux NIS(YP)NYSNIS+ HOWTO Shadow Passwords with NIS and PAM -- Shadow passwords over NIS are always a bad idea. You lost the security, which shadow gives you. A good way to avoid shadow passwords over NIS is, to put only the local system users in /etc/shadow. Remove the NIS user entries from the shadow database, and put the password back in passwd. So you could use shadow for the root login, and normal passwd for NIS user. This has the advantage, that it will work with every NIS client. 

the Shadow Password HOWTO

Shadow Utilities RedHat

- 11.5 Shadow Utilities Support for shadow
passwords has been enhanced significantly for Red Hat Linux 5.2.
Shadow passwords are a method of improving system security by
moving the encrypted passwords (normally found in /etc/passwd) to
another file..

Unix Shadow Passwords 
When shadow files were first implemented some systems created or modified the system calls so they would return the encrytped password. This kept users from downloading the password file, but if you could make the system calls you could recreate the files yourself 


deshadow.c 
shcrack.c cracks too 
unshad.c tiny deshadow program

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008