[TriLUG] how to unshadow

Jon Carnes jonc at nc.rr.com
Mon Nov 4 13:45:05 EST 2002


No you are right (well at least they can't be recovered easily).

All that pwunconv does is move the current encrypted password from a
field in /etc/shadow over to the appropriate field in /etc/passwd.  It
doesn't decrypt the password.

You use the file /etc/shadow to store the passwords because it has
limited rights (only the system and root can read the file). The
/etc/passwd file is readable by everyone and everything on your system. 

Jon Carnes

On Mon, 2002-11-04 at 13:32, Jeff Bollinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I guess I was wrong, but I thought that because of the Salt on the
> passwords and one-way encryption, that once they were shadowed the
> plaintext password could not be recovered?
> 
> Thanks,
> Jeff
> 
> Jon Carnes wrote:
> | On Mon, 2002-11-04 at 13:04, Ryan Leathers wrote:
> |
> |>
> |>Quick one I hope - - - im in a pinch - how do I unshadow my passwd
> |>	Is there a shell script - do I have to do it by hand - or is
> |>there a passwd argument
> |>
> |
> |
> | pwunconv:
> | NAME
> |        pwconv,  pwunconv,  grpconv,  grpunconv  - convert to and from
> | shadow
> |        passwords and groups.
> |
> | SYNOPSIS
> |        pwconv
> |        pwunconv
> |        grpconv
> |        grpunconv
> |
> | DESCRIPTION
> |   These four programs all operate on the normal and shadow password and
> |   group  files: /etc/passwd, /etc/group, /etc/shadow, and /etc/gshadow.
> |
> |   pwconv creates shadow from passwd and an optionally existing  shadow.
> |   pwunconv  creates  passwd  from  passwd  and  shadow and then removes
> |   shadow.  grpconv creates gshadow from group and an optionally  exist­
> |   ing gshadow.  grpunconv creates group from group and gshadow and then
> |   removes gshadow.
> |
> |   Each program acquires the necessary locks before conversion.
> |
> |   pwconv and grpconv are similiar.  First, entries in the shadowed file
> |   which  don't  exist  in  the  main  file are removed.  Then, shadowed
> |   entries which don't have `x' as the password in  the  main  file  are
> |   updated.  Any missing shadowed entries are added.  Finally, passwords
> |   in the main file are replaced with `x'.  These programs can  be  used
> |   for  initial  conversion  as  well to update the shadowed file if the
> |   main file is edited by hand.
> |
> |   pwconv will use  the  values  of  PASS_MIN_DAYS,  PASS_MAX_DAYS,  and
> |   PASS_WARN_AGE   from  /etc/login.defs  when  adding  new  entries  to
> |   /etc/shadow.
> |
> |   Likewise, pwunconv and grpunconv are similiar.  Passwords in the main
> |   file  are updated from the shadowed file.  Entries which exist in the
> |   main file but not in the shadowed file are left alone.  Finally,  the
> |   shadowed file is removed.
> |
> |   Some password aging information is lost by pwunconv.  It will convert
> |   what it can.
> |
> | _______________________________________________
> | TriLUG mailing list
> |     http://www.trilug.org/mailman/listinfo/trilug
> | TriLUG Organizational FAQ:
> |     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 
> - --
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE9xr1BvoVlxVBmgsURAhdRAKCQtnKd8o7vztR+NR8fQdoHYTJicwCfa4er
> jwB8Oou6bHtdw0KOdD6d59s=
> =mbaS
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html





More information about the TriLUG mailing list