6.2 Password and Password File

The definition of a group is described by the /etc/group file (group file), and a user's definition is described by /etc/passwd file (password file).

A password is required for the user, and a password is enciphered and recorded on a /etc/shadow file (shadow file).

Change of a password is performed using the passwd command.

6.2.1 Password File (/etc/passwd)

A user's information is saved at /etc/passwd file (password file), divides one line by ':', and describes user's information in it.

One user's contents (one line) registered into the password file are as follows.

account:password:UID:GID:GECOS:directory:shell

account The user name in the system. Don't use capital letters. password In the past, there was user's enciphered password. It is filled by 'x' now. UID User ID number GID Primary group ID number to which a user belongs GECOS(General Electric Comprehensive Operating System) User's name or the field of a comment directory User's home directory ($HOME) shell User's command interpreter which starts at the login time

In the past, although the password enciphered was described in the password file, many distributions have described the password in the shadow file in consideration of security. You should not edit a password file directly by an editor. Operating it by using commands, such as the useradd command, is recommended.

6.2.2 Group File (/etc/group)

The information on a group is saved at a /etc/group file (group file), divides one line by ':', and describes the information in it.

The contents (one line) of one group registered into the group file are as follows.

group_name:password:GID:user_list

group_name The name of the group. password At the past, there was group password enciphered. Or blank if unnecessary. GID Group ID number user_list The list of user names which belong to a group. Each user name is divided by a comma.

You should not edit a group file directly by an editor. Operating it by using commands, such as the groupadd command, is recommended.

6.2.3 Password

For using user's authority, a user is certified by its user name and password.

The created user can log in, if a password is registered.

There is the passwd command in registering and changing a user's password.

Since the first password registration requires root user(super user) authority, you have to do it as system administrator.

Format

passwd [user_name]

• Registration and change of user password

Register user's password, and change its password.

gpasswd [group_name]

• Registration and change of group password

Register group's password, and change its password.

Practice: Setting up user password

Let's change penguin user's password by a root user.

After password is changed, please log out and log in again.

# passwd penguin ↵                         Change password Changing password for user penguin. New UNIX password: xxxxxxxx↵             Enter new password Retype new UNIX password: xxxxxxxx↵       Enter new password again passwd: all authentication tokens updated successfully. # exit ↵                                     Go out from root user CentOS release 5 (Final) Kernel 2.6.18-53.el5 on an i686 localhost login: penguin↵             Enter user name Password: xxxxxxxx↵             Enter changed password Last login: Sat Feb 9 12:21:09 on tty1 $                                     A prompt will be displayed if login succeed

Please keep in mind that a password should be complicated character string.

Please set proper password, which is hard to guess from others, by using mixture of upper and lower case letters, as well as digits.

6.2.4 Shadow File (/etc/shadow)

A user's password is saved at the shadow file (/etc/shadow) instead of a password file.

One user's (one line) contents registered into the shadow file are as follows.

account:password:last_changed:may_be_changed:must_be_changed:warned:expires:disabled:re served

account User name password The enciphered password last_changed the day when password was last changed. (The days since Jan1, 1970) may_be_changed Days before which password may not be changed must_be_changed: Days after which password must be changed warned Days before password is to expire that user is warned of pending password expiration expires Days after password expires that account is considered inactive and disabled disabled The day when account will be disabled (The days since Jan1, 1970) reserved Reserved field

You should not edit a shadow file directly by an editor. January 1, 1970, which is used for the base date, is the standard date of Linux systems.

6.2.5 Group Shadow File (/etc/gshadow)

The passwords of groups are saved at the group shadow file (/etc/gshadow) instead of the group file.

The contents of one group (one line) registered into the group shadow file are as follows.

group_name:password:administrator_list:member_list

group_name group name password The enciphered password administrator_list The list of administration users who belong to the group. Each user name is separated by a comma. member_list The list of users who belong to the group. Each user name is separated by a comma.

Not editing the group shadow file directly by an editor is recommended.

6.2.6 Modify Shadow File

In case of editing the password file (/etc/passwd) and the shadow file (/etc/shadow) directly, you use vipw command. In case of editing the group file (/etc/group) and the group shadow file (/etc/gshadow) directly, you use vigr command.

Practice: Edit password file

After creating penguin user, let's edit its user's account for adding string "LPIC" addition to the comment field.

Please check whether the comment of the penguin user of /etc/password file has been rewritten.

# useradd -u 1003 penguin ↵             Create user penguin # vipw ↵             Add string “LPIC” to the comment field by using vipw # grep penguin /etc/passwd ↵             Check the comment its field penguin:x:1003:100:LPIC:/home/penguin:/bin/bash #