cancel
Showing results for 
Search instead for 
Did you mean: 

understanding /etc/passwd.

SOLVED
Go to solution
senthil_kumar_1
Super Advisor

understanding /etc/passwd.

Hi All

It is my /etc/passwd

what is the purpose of second filed. I think it is password field.

some line contains * and some other line contains some characters.

what is the difference?

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh
28 REPLIES
Javed Khan_1
Valued Contributor

Re: understanding /etc/passwd.

Hi,

for above case * means account is locked

Javed
Never Give Up
Ivan Krastev
Honored Contributor

Re: understanding /etc/passwd.

The second field is crypted password. See more here - http://docs.hp.com/en/B3921-90010/passwd.4.html

regards,
ivan
Viney Kumar
Regular Advisor

Re: understanding /etc/passwd.

Hi

After go through your /etc/passwd file, i think your system is non-trusted system

In non trusted, its means account is locked or you are not assign any passwd for a user



Ashish Parashar
Frequent Advisor

Re: understanding /etc/passwd.

Hi

Well the second field in the passwd file is for passowrd strings '

You might aware that ,we can have two type of system trusted and nontrusted ...in trusted system the password field conatains * and the actual password string present under /tcb/files/auth directory ..

In non trusted system the string present in password field is actual password of user.

Regards

Ashish
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

The second filed in the /etc/password is for Password of the user.

If it is * it is usually encrypted.

I could find some of the users are having the password "ktieman:4Py4ttQiGGxo <== while some of the users are having "cmurphy:* <<==

I believe you have trusted the server and after that you have untrusted.

When to turn the server into trusted(tsconvert), the password will be encrypted(*) and will be stored in /tcb directory

If you change the again change the system to untrusted, the password field will show as * unless you again change the password.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

Please refer to

http://docs.hp.com/en/B3921-60631/passwd.4.html

Look at the "Password Field"
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

I went thru some documents. I found following things.

There are four types of systems available depending password.

1)non-shadowed standard system:

On a non-shadowed standard system, all password fields contain the actual encrypted password in /etc/passwd.

2)shadowed standard system:

all password fields contain an `*' in /etc/passwd, while the actual encrypted passwords reside in /etc/shadow.

3)non trusted system:

On a non trusted system, all password fields contain the actual encrypted password in /etc/passwd.

4)trusted system:

On a trusted system, all password fields contain a `*' in /etc/passwd and the actual encrypted passwords reside in the Protected Password Database
"/tcb/files/auth "


NOTE: A system that has been converted to a trusted system has no /etc/shadow file

Here I have two questions:

1)How to convert HP-UX as trusted system?
2)How to create encrypted password.?




Avinash20
Honored Contributor

Re: understanding /etc/passwd.

Good question:

1)How to convert HP-UX as trusted system?

## You could convert the system to trusted via

# /usr/lbin/tsconvert

2)How to create encrypted password.?

There are two ways.

Shadow password (pwconv)

or

Convert to Trusted.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

I would advice you to go via
http://docs.hp.com/en/B2355-90121/

Also instead of tsconvert, it better you go via sam and convert it,.

SAM-> Auditing and security ->system security policies

This will ask for the system to get it trusted !!
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

For example /etc/passwd file is

1)root:3Km/o4Cyq84Xc:0:10:System Administrator:/:/sbin/sh

2)joe:r4hRJr4GJ4CqE:100:50:Joe User,Post 4A,12345:/home/joe:/usr/bin/ksh

Here the second field contains encrypted password in both the entries.

That is some passwords (real words with letters) are converted as Encrypted password and entered here in second filed.

So I am asking that how to creata a real password as encrypted password?
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

Hi,

root:3Km/o4Cyq84Xc <<--

The password is in encrypted.

The idea behind changing the system to trusted or creating a shadow password is to change the location of /etc/passwd.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

"So I am asking that how to creata a real password as encrypted password?"

Good question..

But it is not possible, since when you provide the password, lot of algorithm gets executed and hence the above encrypted password gets generated.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

How about assigning some points :)
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

Is it possible that some lines have "*" and others have "encrypted password"?

Ex: /etc/passwd

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh
James R. Ferguson
Acclaimed Contributor

Re: understanding /etc/passwd.

Hi Senthil:

> So I am asking that how to creata a real password as encrypted password?

# cat mypwgen
#!/usr/bin/perl -l
die "One arg expected\n" unless @ARGV;
print crypt(
$ARGV[0],
join( '',
( '.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z' )[ rand 64, rand 64 ] )
);
1;

...run as:

# ./mypwgen plaintextpw

...the output will be an encrypted password suitable for use with 'useradd'.

Regards!

...JRF...
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

Yes,

Convert the system into Trusted

# /usr/lbin/tsconvert

Password will be in *

Then untrust it

# /usr/lbin/tsconvert -r

Then change the password of any user.

Only for the above user the password will be in encrypted format.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

what is the default system "shadowed" or "trusted"?
James R. Ferguson
Acclaimed Contributor

Re: understanding /etc/passwd.

Hi:

Be advised that the Trusted system implematation is deprecated at 11.31 and will not be supported thereafter. You should consider converting to an '/etc/shadow' implementation.

If you are running on 11.11, you can install:

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

If you are running 11.23 or 11.31, no additional software needs to be installed.

Chapter-8 of this guide discusses this:

http://docs.hp.com/en/B2355-90950/index.html

Regards!

...JRF...
Avinash20
Honored Contributor

Re: understanding /etc/passwd.

what is the default system "shadowed" or "trusted"?

Neither. By default the system will come with normal /etc/password having encrypted password.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
OldSchool
Honored Contributor
Solution

Re: understanding /etc/passwd.

Ashish assumes that this system has been converted to trusted mode...I don't believe it has. Its simply a standard password system that has some accounts locked.

in a normal untrusted system, a password of "*" indicates the account was locked.
In your example, lines 1-4 the accounts are locked, while in 5-7 the user has a valid passwd assigned (which is encrypted). you won't see "plaintext" in the password field.

1)cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin

as for "2)How to create encrypted password.?"

Huh? As root, "password " will create a password for . Passwords are always encrypted, no matter standard, trusted or shadow.

senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

can you tell me that history of normal system , trusted system and shadowed system?

such as upto which version trusted system available? and in which version shadowed introduced.? and what is the file names such as "/tcb/files/autt" and "/etc/shadow"
Andrew C Fieldsend
Respected Contributor

Re: understanding /etc/passwd.

When UNIX was first created, passwords were stored in the second field of /etc/passwd as a one-way hash of the real password. Since the * character isn't included in the output character set of the hash function, a * in the password field can't match any entered password, thus locking the account.

Later, because /etc/passwd had to be world readable to allow various library routines to access the other user details stored there, it was thought that this was insecure, and the /etc/shadow file was added to hold the password hash (still computed in the same way). This file could be readable only by root, as the only routines which needed to access it (login, su, and the like) would have to be effectively running as root.

The implementations of the original passwd and shadow files are fairly consistent across manufacturers, but the various manufacturers implementations of the "trusted systems" concepts are less so. (Possibly this is why trusted systems are now deprecated at 11.31?)
senthil_kumar_1
Super Advisor

Re: understanding /etc/passwd.

I think the /etc/password history may be

before HP-UX - 9 ---> /etc/passwd

HP-UX 9 ---> /secure/etc/passwd

HP-UX 10+ ---> /tcb/files/auth

HP-UX 11.23+ --> /etc/shadow.

Is this information correct?

which is more secure "/etc/shadow" or "/tcb/file/auth"?
OldSchool
Honored Contributor

Re: understanding /etc/passwd.

in the std installation, only /etc/passwd is used.

the 'tbc' related stuff indicates that the system in question has been converted to "trusted". Which as JRF noted above, is deprecated at 11.31 (may not be supported int the future)

"shadow" password package is available for 11.11 and up.

as to which is "more secure", I can't address that, but the current direction is moving away from trusted system to shadow password.

of course there are other authentication methods available (LDAP, NIS+ and so forth).

I'm not sure I understand the facination w/ the "history" and which OS versions used what files / methods...especially versions older than 11.xxx.

What is it you are trying to accomplish?