By default, it uses the insecure Data Encryption Standard (DES), but depending on the second argument, we can employ many others.Įssentially, the initial characters of the password field value in /etc/shadow identify the encryption algorithm:
In fact, crypt(), as the main password encryption function, leverages glibc. Alternatively, we can use the pam_unix.so pluggable authentication module (PAM) and change the default hashing algorithm via /etc/pam.d/common-password.Īnother consideration is the presence and version of glibc. Usually, the default encryption algorithm can be read or defined via the ENCRYPT_METHOD variable of /etc/fs. Which one /etc/shadow uses depends on several factors. There are many algorithms for encryption. Critically, vipw doesn’t automatically check the syntax after any edits. When editing /etc/shadow directly, it’s best to use the -s switch to vipw, which locks /etc/shadow similar to visudo and the /etc/sudoers file. Expire – date after which the user becomes disabled (number of days since ) with 7 as the default.Inactive – number of days after password expiry, following which the user will become disabled.Warning – number of days prior to password expiry that should be left for a user to receive a warning about it.Maximum – maximum number of days a password is valid with 99999 as the default.Minimum – minimum number of days between password changes with 0 or an empty entry omitting the constraint.Change – date of the last password change (number of days since ) with 0 forcing a change on the next login, and an empty entry meaning no password aging.Password – the actual hashed password when the respective password entry in /etc/passwd is x.Username – an already existing account name from /etc/passwd.
0 kommentar(er)
