Shadow Passwords

Why is there an x in the password field (field 2) of the previous example? When Unix was originally designed, the /etc/passwd file stored a user’s encrypted password string in field 2 of /etc/passwd. The password was encrypted using an algorithm known as a one-way hash (the crypt algorithm), meaning that while it was trivial to convert a string to a hashed value, it was mathematically difficult (i.e., it would take an extremely long time) to convert the hashed value back to the original string. This is a common function of algorithms used in the security world, especially for things such as passwords. If you can’t determine the original password when you only know the hashed value, then we don’t have to worry about the security around the hashed value itself, because it is too difficult mathematically to derive the password from the hashed value. So this hashed value can be stored in a world-readable file such as /etc/passwd without compromising the security of the system.

If it’s very difficult to derive a password from its hashed value, how does the system know I’m typing in the right password when I log in? The login process on a Linux system follows these steps:

  1. Prompt user for a username and password.

  2. Look in /etc/passwd to see whether the user account exists.

  3. If it does, encrypt the string given as the password using the crypt algorithm.

  4. Compare the encrypted string given by the user with the encrypted string stored in field 2 of the /etc/passwd entry for that ...

Get LPI Linux Certification in a Nutshell, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.