There is a line in /etc/passwd for each user and for certain login names used by the system. Each of these lines contains a sequence of fields, separated by colons. The following example shows a typical /etc/passwd file:
$ cat /etc/passwd root:x:0:1:0000-Admin(0000):/: daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: setup:x:0:0:general system administration:/usr/admin:/usr/sbin/setup powerdown:x:0:0:general system administration:/usr/admin:/usr/sbin/powerdown sysadm:x:0:0:general system administration:/usr/admin:/usr/sbin/sysadm checkfsys:x:0:0:check diskette file system:/usr/admin:/usr/sbin/checkfsys makefsys:x:0:0:make diskette file system:/usr/admin:/usr/sbin/makefsys mountfsys:x:0:0:mount diskette file system:/usr/admin:/usr/sbin/mountfsys umountfsys:x:0:0:unmount diskette file system:/usr/admin:/usr/sbin/umountfsys uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:10:10:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/ uucico listen:x:37:4:Network Admin:/usr/net/nls: slan:x:57:57:StarGROUP Software NPP Administration:/usr/slan: jmf:x:1005:21:James M. Farber:/home/jmf:/bin/csh rrr:x:1911:21:Richard R. Rosinski:/home/rrr:/bin/rsh khr:x:3018:21:Kenneth H. Rosen:/home/khr:/bin/ksh
The first field of a line in the /etc/passwd file contains the login name, which is one to seven characters for users. The second field contains the placeholder x. In earlier versions of UNIX (such as System V before Release 3.2), this field contained an encrypted password, leading to a security weakness, since anyone who could access this file could grab encrypted passwords and use them to try to figure out unencrypted passwords. Always using an x provides a degree of protection, but it is still a weakness because an intruder can match it. In most UNIX variants (including UNIX System V Release 3.2 and Release 4, and almost all variants based on SVR4) the encrypted password is in /etc/shadow. The third and fourth fields are the user ID and group ID, respectively.
Comments are placed in the fifth field. This field usually contains names of users and often also contains their room numbers and telephone numbers. The comments field for login names associated with system commands is usually used to describe the purpose of the command. The sixth field is the home directory-that is, the initial value of the variable HOME.
The final field names the program that the system automatically executes when the user logs in. This is called the user’s login shell The standard shell, sh, is the default start-up program. So if the final field is empty, sh will be the user’s start-up program.
Information on the root login is included on the first line of the /etc/passwd file. The user ID of root is 0, its home directory is the root directory, represented by /, and the initial program the system runs for root is the standard shell, sh, because the last field is empty.
As you can see in the preceding example, the /etc/passwd file contains login names used by the system for its operation and for system administration. These include the following login IDs: daemon, bin, sys, adm, setup, power-down, sysadm, checkfsys, makefsys, mountfsys, and umountfsys. It also includes login names used for networking, such as uucp and nuucp, and listen and slan used for the operation of the StarLAN local area network. The start-up program for each of these lognames can be found in the last field of the associated line in the /etc/passwd file.
There is a line in /etc/shadow for each line in the /etc/passwd file. The /etc/shadow file contains information about a user’s password and data about password aging. For instance, the file may look like the following:
# cat /etc/shadow root:1544mU5CgDJds:7197:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: setup:NP:6445:::::: powerdown:NP:6445:::::: sysadm:NP:6445:::::: checkfsys:NP:6445:::::: makefsys:NP:6445:::::: mountfsys:NP:6445:::::: umountfsys:NP:6445:::::: uucp:x:7151:::::: nuucp:x:7151:::::: listen:*LK*::::::: slan:x:7194:::::: jmf:dcGGUNSGeux3k:6966:7:100:5:20:11000: rrr:nHyy3vRgMppJ1:7028:2:50:2:10:10895: khr:iy8x5s/ZytJpg:7216:7:100:5:20:10950:
The first field in a line contains the login name. For users with passwords, the second field contains the encrypted password for this login name. The encrypted password consists of 13 characters from the 64-character alphabet, which includes the following characters:., /, 0–9, AZ, and az. This field contains NP (for No Password) when no password exists for that login name; x for the uucp, nuucp, and slan logins; and *LK* for the listen login. None of these strings (NP, x, and *LK*) can ever be the encrypted version of a valid password, so that it is impossible to log in to one of these system logins, because whatever response is given to the “Password:” prompt will not produce a match with the contents of this field. So these logins are effectively locked.
The third field gives the number of days between January 1,1970, and the day when the password was last changed. The fourth field gives the minimum number of days required between password changes. A user cannot change his or her password again within this number of days.
The fifth field gives the maximum number of days a password is valid. After this number of days, a user is forced to change passwords. The sixth field gives the number of days before the expiration of a password that the user is warned. A warning message will be sent to a user upon logging in to notify the user that their password is set to expire within this many days.
The seventh field gives the number of days of inactivity allowed for this user. If this number of days elapses without the user logging in, the login is locked. The eighth field gives the absolute date (specified by the number of days after January 1,1970; e.g., 10895 is May 3, 1999) when the login may no longer be used. The ninth field is a flag that is not currently used but may be used in the future.
Prior to Release 3.2 of UNIX System V, the /etc/passwd file contained encrypted passwords for users in the second field of each line. Because ordinary users can read this file, an authorized user, or an intruder who has gained access to a login, could gain access to other logins. To do this, the user, or intruder, runs a program to encrypt words from a dictionary of common words or strings formed from names, using the UNIX System algorithm for encrypting passwords (which is not kept secret), and compares the results with encrypted passwords on the system. If a match is found, the intruder has access to the files of a user. This vulnerability has been reduced by placing an x in the second field of the /etc/passwd file and using the /etc/shadow file.
Most UNIX variants take advantage of the shadow password file to provide password security, but HP-UX does not. Instead, HP-UX uses the concept of a nontrusted system versus a trusted system. A nontrusted system can be converted to a trusted system using the System Administration Manager (SAM) (see Chapter 13). To make this conversion, go to the Auditing and Security area of SAM, which can be done by double-clicking any of the security display icons.
A trusted HP-UX system has a variety of security enhancements. For example, in a trusted system, encrypted passwords are not kept in the /etc/passwd file but instead are moved to a special set of directories not accessible by ordinary users. Furthermore, a trusted system supports security auditing. Moreover, access to hardwired terminals connected to the system can be controlled. Also, access to the system by users can be restricted depending on the time of day.
On a trusted HP-UX system, the second field of an entry in /etc/passwd is an asterisk (*). The encrypted password for a user is kept in a protected password file, /tcb/files/auth/first letter of last name/username, where “first letter of last name” is replaced by the actual first letter of a user’s last name and the username of that user is employed. (Here the directory tcb is short for trusted computer base and auth is short for authorized.) For example, the password for the user with username ken11 is kept in /tcb/files/auth/k/ken11. Each file containing the encrypted password of a user contains many other fields used for auditing purposes and for controlling logins. The information found in this file includes
- Username (from /etc/passwd)
- User ID (from /etc/passwd)
- Encrypted password
- The time of the last successful login
- The time of the last unsuccessful login attempt
- The time allowed between password changes
- The time of the last successful or unsuccessful attempt to change the password
- When the password expires
- The maximum time allowed between logins
- The length of time when a user is notified before a password expires
- The time of day when the user is permitted to log in
- A flag indicating whether audits occur for this user
- A flag indicating whether the user can select a password or must use one generated by the system
- A flag indicating whether a password undergoes a check for not being easily guessed
- The maximum consecutive unsuccessful logins before the account is locked
- The maximum length of a password
- The number of unsuccessful login attempts until the next successful attempt
- The maximum number of consecutive unsuccessful login tries before the account is locked
- An audit ID
When a user tries to log in, the login program authenticates the user by checking the appropriate fields in the user’s protected password file. The appropriate fields are updated on each logic attempt, successful or not. For details, consult the appropriate manual page for prpwd(4) on your HP-UX system or the book HP-UX System and Administration Guide by Jay Shah.