Linux Accounts

Like most operating systems, Linux supports multiple user accounts on a computer. These accounts are stored in the passwd file. Passwords are stored in the shadow file.

Learning Objectives

You should be able to:

  • List user accounts
  • Add user accounts
  • List the contents of the password file
  • Describe how passwords are hashed

Video Walkthrough

Use this video to follow along with the steps in this lab.

The passwd File

Older versions of Linux stored usernames and passwords in the same file--the passwd file. But it turned out that storing both in the same file opened systems up to attack. Modern versions of Linux store some account information in the passwd file, such as usernames and home directories, but passwords are stored in a separate shadow file. The shadow file has additional protections.

  • Open a Linux terminal.
  • Run
cat /etc/passwd

The contents will be similar to the following.

rwhod:x:122:65534::/var/spool/rwho:/usr/sbin/nologin
iodine:x:123:65534::/run/iodine:/usr/sbin/nologin
miredo:x:124:65534::/var/run/miredo:/usr/sbin/nologin
statd:x:125:65534::/var/lib/nfs:/usr/sbin/nologin
redis:x:126:132::/var/lib/redis:/usr/sbin/nologin
postgres:x:127:133:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mosquitto:x:128:135::/var/lib/mosquitto:/usr/sbin/nologin
inetsim:x:129:136::/var/lib/inetsim:/usr/sbin/nologin
_gvm:x:130:138::/var/lib/openvas:/usr/sbin/nologin
king-phisher:x:131:139::/var/lib/king-phisher:/usr/sbin/nologin
ubuntu:x:1000:1000:,,,:/home/ubuntu:/usr/bin/zsh

The shadow File

In modern Linux distributions, password hashes are stored in the /etc/shadow file. Administrator rights are required to view the contents of the file.

  • Try to view the contents of /etc/shadow without administrator permissions.
cat /etc/shadow

You should get a permission denied error.

$ cat /etc/shadow
cat: /etc/shadow: Permission denied
  • View the contents of /etc/shadow using sudo.
sudo cat /etc/shadow

You should see content similar to the following.

inetsim:!:19500::::::
_gvm:!:19500::::::
king-phisher:!:19500::::::
user:$y$j9T$dl4ti9p1KPx6HrZ59TPMJ/$drMOLlRW8BZmsDQ0riDlPnUDsfyIvRL4qfgODnuZVz4:19500:0:99999:7:::
  • The fields in the shadow file are separated by colons. Many of the fields are empty. The first field is the username. The second field has a hash of the password. Instead of storing the passwords in cleartext, a hash is stored that can be used to verify passwords.
  • If there is no password for an ubuntu user account, this is likely because login is only available using SSH key files instead of passwords. In the next section, you will add user accounts and see the passwords appear in the shadow file.

Add User Accounts

There are several ways to add Linux accounts. It's important to note that these are local accounts--they exist only on this computer. These accounts are in contrast to accounts stored in a central directory that can be used across devices.

  • Run the following command to create an account. This action requires additional privileges, so sudo is used.
sudo useradd chris
  • Set the password for the chris account. The passwd command is used to change passwords. It requires administrative privileges. Make the password logger.
sudo passwd chris
  • Verify that the new user account is in the shadow file.
sudo cat /etc/shadow
  • Create another user named pat with the password logger (to match Chris' password).
  • View the passwords in the /etc/shadow file. Notice that even though their passwords are the same, the hashes are different. The hashes are different because random data called salt was added to the hashes.
chris:$y$j9T$GdBCSJyMXTTOBMArjqV8A0$gjvYRioFFWWMZ5FYZAQBUAEQzK82MWMTTV7cz.KlFbA:19549:0:99999:7:::
pat:$y$j9T$WGqJT41hyKfvNaOchF7sE/$3/oH7lwoMyUgaLzqwh.01cOAKRcRGhrPB.2GWl220I1:19549:0:99999:7:::

There are two levels of protection for passwords in the shadow file: 1) restricted access, and 2) hashing.

Remove Users

  • To clean up your virtual machine, you can delete the two newly created users.
sudo userdel pat
sudo userdel chris
  • Verify that they no longer exist in the passwd and shadow files.
cat /etc/passwd
sudo cat /etc/shadow

Challenge

  • Add two users using the same password. Compare their password hashes in the shadow file. Are their password hashes the same or different? Why?

Reflection

  • Why do computers store passwords as hashes?
  • Who should be responsible for managing user accounts in large organizations?
  • What are the drawbacks of using local accounts compared to directory accounts?

Key Terms

  • Linux Accounts: User accounts in a Linux operating system that allow individuals to access and interact with the system. Each account has a unique username and is associated with specific permissions and settings. Linux accounts can be for regular users, administrators (root), or system services.
  • passwd File: A system file located at /etc/passwd that contains information about user accounts. Each line in the file represents a user and includes fields such as username, user ID (UID), group ID (GID), home directory, and shell. The actual passwords are not stored in this file for security reasons.
  • shadow File: A system file located at /etc/shadow that stores encrypted password information for user accounts. This file is only accessible by the root user and contains additional fields such as password aging information. The separation of password data into the shadow file enhances security by restricting access to sensitive information.