topic Re: Shadow Password in Operating System - HP-UX

Shadow Password

Sunil Rahate_1 — Fri, 05 Dec 2008 06:31:12 GMT

Hello,

I need to configure Shadow password on Itanium server version B.11.31

Need to know what steps are required to follow and does the system requires reboot.

Thanks & Regards

Re: Shadow Password

likid0 — Fri, 05 Dec 2008 07:20:40 GMT

man pwconv

pwconv(1M) pwconv(1M)

NAME
pwconv - install, update or check the /etc/shadow file

SYNOPSIS
/usr/sbin/pwconv [-t] [-v]

DESCRIPTION
The pwconv command installs or appends /etc/shadow with information
from /etc/passwd, or checks for any discrepancies between the contents
of the two files.

The pwconv command without options does the following:

1. Creates the file /etc/shadow if it does not exist; otherwise,
it removes all entries for usernames that are not present in
/etc/passwd.
2. For each entry in /etc/passwd, move the encrypted password
and aging information to /etc/shadow. Entries in /etc/passwd
that have no encrypted password or aging information will not
overwrite information in /etc/shadow.
3. Writes an "x" in each password field of the /etc/passwd file
to indicate that the password and aging information reside in
the /etc/shadow file.

Re: Shadow Password

unixguy_1 — Fri, 05 Dec 2008 07:38:10 GMT

Hi Orange,

I have some doubt about the shadow password.

What is it used?

Can u guide me something,iam not able to understand, what's differnece between the /etc/passwd and /etc/shadow.

Pls guide me something.....

Regards,
Unixguy.

Re: Shadow Password

Sunil Rahate_1 — Fri, 05 Dec 2008 07:47:44 GMT

Dear Orange,

Does HPUX B.11.31 need any Shadow Bundle to be installed. If bundle not required does pwconv will create the shadow password. After pwconv does the system requires reboot.

Thanks & Regards

Re: Shadow Password

likid0 — Fri, 05 Dec 2008 07:57:36 GMT

It's a way for protecting the encripted passwords you have in /etc/passwd, beacause /etc/passwd has to be read for all the users on the system.

when you use shadow passwd, in /etc/passwd

you get * on the second field:

root:*:0:3::/root:/usr/bin/ksh

and the encrypted passwd goes to another file called /etc/shadow

man shadow more info

the same way if u use a truested system the info goes to /tcb

it's standard on 11.23 and 11.31 you don't need no install any bunble/product.

and you don't need to reboot.

Re: Shadow Password

saravanan08 — Fri, 05 Dec 2008 08:54:49 GMT

straight away we can shift password from /etc/passwd to /etc/shadow y using
command

# pwconv

then change the /etc/shadow parameters like min days max days warning days using

# passwd command with arguments/ refer man page

no need of system reboot
thank you

Re: Shadow Password

~sesh — Fri, 05 Dec 2008 21:02:44 GMT

Normally the password for users are stored in the /etc/passwd file in an encrypted format. When vi / cat the /etc/passwd file you will see some encrypted characters in the second column (after the user name separated by a colon ":").

However, this presents a security problem as somebody knowing the method of encryption can "decrypt" the password easily.

Hence shadow password present one more level of protection by replacing the password from the passwd file to a "x".

You can use the pwconv (to enable shadow password) and pwunconv (to disable shadow password).

Re: Shadow Password

~sesh — Fri, 05 Dec 2008 21:05:57 GMT

Sunil Rahate - I have assigned points to 0 of 35 responses to my questions.

Please do keep assigning points to people who are coming forward to help.