Username   Password       Register

Password Shadowing

Password shadowing is a security system where the encrypted password field of /etc/passwd is replaced with a special token and the encrypted password is stored in a separate file (or files) which is not readable by normal system users.

The getpwent() Unix Password Shadowing Vulnerability

On older Unix systems, password shadowing was often defeated by using a program that made successive calls to getpwent() to obtain the entire password file. Modern Unix systems are not susceptible to this attack.

Example:

#include <pwd.h>
main()
{
struct passwd *p;
while(p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}

Unix Password Shadowing on Various Unix Implementations

Some Unix password shadowing schemes store the shadowed passwords in a single file, while others utilize a hierarchy of multiple files.

Token is the text placed in the second field the /etc/passwd file.


Unix Path Token
AIX 3 and AIX 4 /etc/security/passwd
or
/tcb/auth/files/<first letter of username>/<username>		 !

#
A/UX 3.0s /tcb/files/auth/?/*
BSD4.3-Reno /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix 3.2.x /tcb/auth/files/<first letter of username>/<username> *
SunOS4.1+c2 /etc/security/passwd.adjunct ##username
SunOS 5.0 / Solaris 2.x /etc/shadow
or
Optional NIS+ private secure maps
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb *
blog comments powered by Disqus

Discuss Password Shadowing in the forums.

 
(0 - user rating)