Linux-based distributions can use many different authentication mechanisms. One of the most commonly used and standard mechanisms is Pluggable Authentication Modules (PAM). The modules used for this are called pam_unix.so or pam_unix2.so and are located in /usr/lib/x86_x64-linux-gnu/security/ in Debian based distributions. These modules manage user information, authentication, sessions, current passwords, and old passwords. For example, if we want to change the password of our account on the Linux system with passwd, PAM is called, which takes the appropriate precautions and stores and handles the information accordingly.
The pam_unix.so standard module for management uses standardized API calls from the system libraries and files to update the account information. The standard files that are read, managed, and updated are /etc/passwd and /etc/shadow. PAM also has many other service modules, such as LDAP, mount, or Kerberos.
The /etc/passwd file contains information about every existing user on the system and can be read by all users and services. Each entry in the /etc/passwd file identifies a user on the system. Each entry has seven fields containing a form of a database with information about the particular user, where a colon (:) separates the information.
cry0l1t3 |
: |
x |
: |
1000 |
: |
1000 |
: |
cry0l1t3,,, |
: |
/home/cry0l1t3 |
: |
/bin/bash |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Login name | Password info | UID | GUID | Full name/comments | Home directory | Shell |
The Password information field is notable for its varying entries. While modern systems store password hashes in /etc/shadow, older systems may store them directly in this field. Since /etc/passwd is readable by all users, storing hashes here poses a security risk.
In Linux systems, passwords are typically stored in an encrypted form in the /etc/shadow file. However, if the /etc/passwd file is writable by mistake, you could clear the password field for the root user. This would leave the password field empty, preventing a password prompt when logging in as root.
#Before
root:x:0:0:root:/root:/bin/bash
#After
root::0:0:root:/root:/bin/bash
#Root without Password
head -n 1 /etc/passwd
su
It contains all the password information for the created users. For example, if there is no entry in the /etc/shadow file for a user in /etc/passwd, the user is considered invalid. The /etc/shadow file is also only readable by users who have administrator rights. The format of this file is divided into nine fields:
cry0l1t3 |
: |
$6$wBRzy$...SNIP...x9cDWUxW1 |
: |
18937 |
: |
0 |
: |
99999 |
: |
7 |
: |
: |
: |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Username | Encrypted password | Last PW change | Min. PW age | Max. PW age | Warning period | Inactivity period | Expiration date | Unused |
sudo cat /etc/shadow
If the password field contains a character, such as ! or *, the user cannot log in with a Unix password. However, other authentication methods for logging in, such as Kerberos or key-based authentication, can still be used. The same case applies if the encrypted password field is empty. This means that no password is required for the login. However, it can lead to specific programs denying access to functions. The encrypted password also has a particular format by which we can also find out some information:
$<type>$<salt>$<hashed>As we can see here, the encrypted passwords are divided into three parts. The types of encryption allow us to distinguish between the following: