HPE Community
Operating System - HP-UX
1820695 Members
3911 Online
109627 Solutions
New Discussion юеВ

understanding /etc/passwd.

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

тАО03-10-2009 12:35 AM

тАО03-10-2009 12:35 AM

understanding /etc/passwd.

Hi All

It is my /etc/passwd

what is the purpose of second filed. I think it is password field.

some line contains * and some other line contains some characters.

what is the difference?

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh
0 Kudos
Reply
28 REPLIES 28
Javed Khan_1
Valued Contributor

тАО03-10-2009 12:42 AM

тАО03-10-2009 12:42 AM

Re: understanding /etc/passwd.

Hi,

for above case * means account is locked

Javed
Never Give Up
Reply
Ivan Krastev
Honored Contributor

тАО03-10-2009 12:42 AM

тАО03-10-2009 12:42 AM

Re: understanding /etc/passwd.

The second field is crypted password. See more here - http://docs.hp.com/en/B3921-90010/passwd.4.html

regards,
ivan
Reply
Viney Kumar
Regular Advisor

тАО03-10-2009 12:47 AM

тАО03-10-2009 12:47 AM

Re: understanding /etc/passwd.

Hi

After go through your /etc/passwd file, i think your system is non-trusted system

In non trusted, its means account is locked or you are not assign any passwd for a user



Reply
Ashish Parashar
Frequent Advisor

тАО03-10-2009 12:55 AM

тАО03-10-2009 12:55 AM

Re: understanding /etc/passwd.

Hi

Well the second field in the passwd file is for passowrd strings '

You might aware that ,we can have two type of system trusted and nontrusted ...in trusted system the password field conatains * and the actual password string present under /tcb/files/auth directory ..

In non trusted system the string present in password field is actual password of user.

Regards

Ashish
Reply
Avinash20
Honored Contributor

тАО03-10-2009 01:35 AM

тАО03-10-2009 01:35 AM

Re: understanding /etc/passwd.

The second filed in the /etc/password is for Password of the user.

If it is * it is usually encrypted.

I could find some of the users are having the password "ktieman:4Py4ttQiGGxo <== while some of the users are having "cmurphy:* <<==

I believe you have trusted the server and after that you have untrusted.

When to turn the server into trusted(tsconvert), the password will be encrypted(*) and will be stored in /tcb directory

If you change the again change the system to untrusted, the password field will show as * unless you again change the password.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
Avinash20
Honored Contributor

тАО03-10-2009 01:42 AM

тАО03-10-2009 01:42 AM

Re: understanding /etc/passwd.

Please refer to

http://docs.hp.com/en/B3921-60631/passwd.4.html

Look at the "Password Field"
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
senthil_kumar_1
Super Advisor

тАО03-10-2009 02:40 AM

тАО03-10-2009 02:40 AM

Re: understanding /etc/passwd.

I went thru some documents. I found following things.

There are four types of systems available depending password.

1)non-shadowed standard system:

On a non-shadowed standard system, all password fields contain the actual encrypted password in /etc/passwd.

2)shadowed standard system:

all password fields contain an `*' in /etc/passwd, while the actual encrypted passwords reside in /etc/shadow.

3)non trusted system:

On a non trusted system, all password fields contain the actual encrypted password in /etc/passwd.

4)trusted system:

On a trusted system, all password fields contain a `*' in /etc/passwd and the actual encrypted passwords reside in the Protected Password Database
"/tcb/files/auth "


NOTE: A system that has been converted to a trusted system has no /etc/shadow file

Here I have two questions:

1)How to convert HP-UX as trusted system?
2)How to create encrypted password.?




0 Kudos
Reply
Avinash20
Honored Contributor

тАО03-10-2009 02:49 AM

тАО03-10-2009 02:49 AM

Re: understanding /etc/passwd.

Good question:

1)How to convert HP-UX as trusted system?

## You could convert the system to trusted via

# /usr/lbin/tsconvert

2)How to create encrypted password.?

There are two ways.

Shadow password (pwconv)

or

Convert to Trusted.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
Avinash20
Honored Contributor

тАО03-10-2009 02:51 AM

тАО03-10-2009 02:51 AM

Re: understanding /etc/passwd.

I would advice you to go via
http://docs.hp.com/en/B2355-90121/

Also instead of tsconvert, it better you go via sam and convert it,.

SAM-> Auditing and security ->system security policies

This will ask for the system to get it trusted !!
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
senthil_kumar_1
Super Advisor

тАО03-10-2009 02:57 AM

тАО03-10-2009 02:57 AM

Re: understanding /etc/passwd.

For example /etc/passwd file is

1)root:3Km/o4Cyq84Xc:0:10:System Administrator:/:/sbin/sh

2)joe:r4hRJr4GJ4CqE:100:50:Joe User,Post 4A,12345:/home/joe:/usr/bin/ksh

Here the second field contains encrypted password in both the entries.

That is some passwords (real words with letters) are converted as Encrypted password and entered here in second filed.

So I am asking that how to creata a real password as encrypted password?
0 Kudos
Reply
Avinash20
Honored Contributor

тАО03-10-2009 03:07 AM

тАО03-10-2009 03:07 AM

Re: understanding /etc/passwd.

Hi,

root:3Km/o4Cyq84Xc <<--

The password is in encrypted.

The idea behind changing the system to trusted or creating a shadow password is to change the location of /etc/passwd.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
0 Kudos
Reply
Avinash20
Honored Contributor

тАО03-10-2009 03:34 AM

тАО03-10-2009 03:34 AM

Re: understanding /etc/passwd.

"So I am asking that how to creata a real password as encrypted password?"

Good question..

But it is not possible, since when you provide the password, lot of algorithm gets executed and hence the above encrypted password gets generated.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
0 Kudos
Reply
Avinash20
Honored Contributor

тАО03-10-2009 03:40 AM

тАО03-10-2009 03:40 AM

Re: understanding /etc/passwd.

How about assigning some points :)
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
senthil_kumar_1
Super Advisor

тАО03-10-2009 03:48 AM

тАО03-10-2009 03:48 AM

Re: understanding /etc/passwd.

Is it possible that some lines have "*" and others have "encrypted password"?

Ex: /etc/passwd

1)
cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)
weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)
mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)
ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)
dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin/ksh
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО03-10-2009 03:48 AM

тАО03-10-2009 03:48 AM

Re: understanding /etc/passwd.

Hi Senthil:

> So I am asking that how to creata a real password as encrypted password?

# cat mypwgen
#!/usr/bin/perl -l
die "One arg expected\n" unless @ARGV;
print crypt(
$ARGV[0],
join( '',
( '.', '/', 0 .. 9, 'A' .. 'Z', 'a' .. 'z' )[ rand 64, rand 64 ] )
);
1;

...run as:

# ./mypwgen plaintextpw

...the output will be an encrypted password suitable for use with 'useradd'.

Regards!

...JRF...
Reply
Avinash20
Honored Contributor

тАО03-10-2009 04:05 AM

тАО03-10-2009 04:05 AM

Re: understanding /etc/passwd.

Yes,

Convert the system into Trusted

# /usr/lbin/tsconvert

Password will be in *

Then untrust it

# /usr/lbin/tsconvert -r

Then change the password of any user.

Only for the above user the password will be in encrypted format.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
senthil_kumar_1
Super Advisor

тАО03-10-2009 04:12 AM

тАО03-10-2009 04:12 AM

Re: understanding /etc/passwd.

what is the default system "shadowed" or "trusted"?
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО03-10-2009 04:32 AM

тАО03-10-2009 04:32 AM

Re: understanding /etc/passwd.

Hi:

Be advised that the Trusted system implematation is deprecated at 11.31 and will not be supported thereafter. You should consider converting to an '/etc/shadow' implementation.

If you are running on 11.11, you can install:

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=ShadowPassword

If you are running 11.23 or 11.31, no additional software needs to be installed.

Chapter-8 of this guide discusses this:

http://docs.hp.com/en/B2355-90950/index.html

Regards!

...JRF...
Reply
Avinash20
Honored Contributor

тАО03-10-2009 05:07 AM

тАО03-10-2009 05:07 AM

Re: understanding /etc/passwd.

what is the default system "shadowed" or "trusted"?

Neither. By default the system will come with normal /etc/password having encrypted password.
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
Reply
OldSchool
Honored Contributor

тАО03-10-2009 05:15 AM

тАО03-10-2009 05:15 AM

Solution

Re: understanding /etc/passwd.

Ashish assumes that this system has been converted to trusted mode...I don't believe it has. Its simply a standard password system that has some accounts locked.

in a normal untrusted system, a password of "*" indicates the account was locked.
In your example, lines 1-4 the accounts are locked, while in 5-7 the user has a valid passwd assigned (which is encrypted). you won't see "plaintext" in the password field.

1)cmurphy:*:200:21:C.C.Murphy,US HQ,6588,:/home/murphy:/bin/ksh
2)klabunde:*:252:28:M.C.Klabunde,,,:/home/klabunde:/bin/ksh
3)pwrchute:zf67.sLB9vFPE:257:10:PowerChutePlus,,,:/home/pwrchute:/bin/ksh
4)weber:*:277:32:D.M.Weber,eds,,:/home/weber:/bin/ksh
5)mckeen:xQUDOfLwcnNB6:338:36:C.A.McKeen,EMD LMC,,:/home/ccm/home/mckeen:/bin/ksh
6)ktieman:4Py4ttQiGGxo.:365:36:Ken Tieman,EMD LMC,,:/home/ktieman:/bin/ksh
7)dandawat:xVUyMpkuSeWUY:399:21:Y Dandawate,,,:/home/pz2tl1:/bin

as for "2)How to create encrypted password.?"

Huh? As root, "password " will create a password for . Passwords are always encrypted, no matter standard, trusted or shadow.
Reply
senthil_kumar_1
Super Advisor

тАО03-11-2009 01:22 AM

тАО03-11-2009 01:22 AM

Re: understanding /etc/passwd.

can you tell me that history of normal system , trusted system and shadowed system?

such as upto which version trusted system available? and in which version shadowed introduced.? and what is the file names such as "/tcb/files/autt" and "/etc/shadow"
0 Kudos
Reply
Andrew C Fieldsend
Respected Contributor

тАО03-11-2009 01:54 AM

тАО03-11-2009 01:54 AM

Re: understanding /etc/passwd.

When UNIX was first created, passwords were stored in the second field of /etc/passwd as a one-way hash of the real password. Since the * character isn't included in the output character set of the hash function, a * in the password field can't match any entered password, thus locking the account.

Later, because /etc/passwd had to be world readable to allow various library routines to access the other user details stored there, it was thought that this was insecure, and the /etc/shadow file was added to hold the password hash (still computed in the same way). This file could be readable only by root, as the only routines which needed to access it (login, su, and the like) would have to be effectively running as root.

The implementations of the original passwd and shadow files are fairly consistent across manufacturers, but the various manufacturers implementations of the "trusted systems" concepts are less so. (Possibly this is why trusted systems are now deprecated at 11.31?)
Reply
senthil_kumar_1
Super Advisor

тАО03-11-2009 02:10 AM

тАО03-11-2009 02:10 AM

Re: understanding /etc/passwd.

I think the /etc/password history may be

before HP-UX - 9 ---> /etc/passwd

HP-UX 9 ---> /secure/etc/passwd

HP-UX 10+ ---> /tcb/files/auth

HP-UX 11.23+ --> /etc/shadow.

Is this information correct?

which is more secure "/etc/shadow" or "/tcb/file/auth"?
0 Kudos
Reply
OldSchool
Honored Contributor

тАО03-11-2009 05:48 AM

тАО03-11-2009 05:48 AM

Re: understanding /etc/passwd.

in the std installation, only /etc/passwd is used.

the 'tbc' related stuff indicates that the system in question has been converted to "trusted". Which as JRF noted above, is deprecated at 11.31 (may not be supported int the future)

"shadow" password package is available for 11.11 and up.

as to which is "more secure", I can't address that, but the current direction is moving away from trusted system to shadow password.

of course there are other authentication methods available (LDAP, NIS+ and so forth).

I'm not sure I understand the facination w/ the "history" and which OS versions used what files / methods...especially versions older than 11.xxx.

What is it you are trying to accomplish?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.