Passwords are an integral part of Linux security, and they are the most visible part to the user. In this section, you learn how to establish a minimal password policy for your system, where the passwords are stored, and how to manage passwords for your users.

An effective password policy is a fundamental part of a good system administration plan. The policy should cover the following:

► Allowed and forbidden passwords

► Frequency of mandated password changes

► Retrieval or replacement of lost or forgotten passwords

► Password handling by users

The password file is /etc/passwd, and it is the database file for all users on the system. The format of each line is as follows:

username:password:uid:gid:gecos:homedir:shell

The fields are self-explanatory except for the gecos field. This field is for miscellaneous information about the user, such as the user's full name, his office location, office and home phone numbers, and possibly a brief text message. For security and privacy reasons, this field is little used nowadays, but the system administrator should be aware of its existence because the gecos field is used by traditional UNIX programs such as finger and mail. For that reason, it is commonly referred to as the finger information field. The data in this field is comma delimited; the gecos field can be changed with the cgfn (change finger) command.

Note that a colon separates all fields in the /etc/passwd file. If no information is available for a field, that field is empty, but all the colons remain.

If an asterisk appears in the password field, that user is not permitted to log on. Why does this feature exist? So that a user can be easily disabled and (possibly) reinstated later without having to be created all over again. The system administrator manually edits this field, which is the traditional UNIX way of accomplishing this task. Fedora provides improved functionality with the passwd -l command mentioned earlier.

Several services run as pseudo-users, usually with root permissions. These are the system, or logical, users mentioned previously. You would not want these accounts available for general login for security reasons, so they are assigned /sbin/nologin as their shell, which prohibits any logins from those "users."

A list of /etc/passwd reveals the following:

# cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

...

gdm:x:42:42::/var/gdm:/sbin/nologin

named:x:25:25:Named:/var/named:/sbin/nologin

dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

andrew:x:500:500:Andrew Hudson:/home/andrew:/bin/bash

Note that the password fields do not show a password, but contain an x because they are shadow passwords, a useful security enhancement to Linux, discussed in the following section.

It is considered a security risk to keep any password in /etc/passwd because anyone with read access can run a cracking program on the file and obtain the passwords with little trouble. To avoid this risk, shadow passwords are used so that only an x appears in the password field of /etc/passwd; the real passwords are kept in /etc/shadow, a file that can be read by only the sysadmin (and PAM, the Pluggable Authentication Modules authentication manager; see the "PAM Explained" sidebar for an explanation of PAM).

Special versions of the traditional password and login programs must be used to enable shadow passwords. Shadow passwords are automatically enabled during the installation phase of the operating system on Fedora systems.

Let's examine a listing of the shadow companion to /etc/passwd, the /etc/shadow file:

# cat /etc/shadow

root:*:13121:0:99999:7:::

daemon:*:13121:0:99999:7:::

bin:*:13121:0:99999:7:::

sys:*:13121:0:99999:7:::

sync:*:13121:0:99999:7:::

games:*:13121:0:99999:7:::

man:*:13121:0:99999:7:::

...

andrew:$1$z/9LTBHL$omt7QdYk.KJL7rwBiM0511:13121:0:99999:7:::

The fields are separated by colons and are, in order, the following:

► The user's login name.

► The encrypted password for the user.

► When the password was last changed, measured in the number of days since January 1, 1970. This date is known in UNIX circles as the epoch. Just so you know, the billionth second since the epoch occurred was in September 2001; that was the UNIX version of Y2K — not much happened because of it.

► The number of days before the password can be changed (prevents changing a password and then changing it back to the old password right away — a dangerous security practice).

► The number of days after which the password must be changed. This can be set to force the change of a newly issued password known to the system administrator.

► The number of days before password expiration that the user is warned it will expire.

► The number of days after the password expires that the account is disabled (for security).

► The number of days since January 1, 1970 that the account has been disabled.

► The final field is a "reserved" field and is not currently allocated for any use.

Note that password expiration dates and warnings are disabled by default in Fedora. These features are not used on home systems and usually not used for small offices. It is the sysadmin's responsibility to establish and enforce password expiration policies.

The permissions on the /etc/shadow file should be set so that it is not writable or read able by regular users: The permissions should be 600.