[TriLUG] how to unshadow
Jon Carnes
jonc at nc.rr.com
Mon Nov 4 13:45:05 EST 2002
No you are right (well at least they can't be recovered easily).
All that pwunconv does is move the current encrypted password from a
field in /etc/shadow over to the appropriate field in /etc/passwd. It
doesn't decrypt the password.
You use the file /etc/shadow to store the passwords because it has
limited rights (only the system and root can read the file). The
/etc/passwd file is readable by everyone and everything on your system.
Jon Carnes
On Mon, 2002-11-04 at 13:32, Jeff Bollinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I guess I was wrong, but I thought that because of the Salt on the
> passwords and one-way encryption, that once they were shadowed the
> plaintext password could not be recovered?
>
> Thanks,
> Jeff
>
> Jon Carnes wrote:
> | On Mon, 2002-11-04 at 13:04, Ryan Leathers wrote:
> |
> |>
> |>Quick one I hope - - - im in a pinch - how do I unshadow my passwd
> |> Is there a shell script - do I have to do it by hand - or is
> |>there a passwd argument
> |>
> |
> |
> | pwunconv:
> | NAME
> | pwconv, pwunconv, grpconv, grpunconv - convert to and from
> | shadow
> | passwords and groups.
> |
> | SYNOPSIS
> | pwconv
> | pwunconv
> | grpconv
> | grpunconv
> |
> | DESCRIPTION
> | These four programs all operate on the normal and shadow password and
> | group files: /etc/passwd, /etc/group, /etc/shadow, and /etc/gshadow.
> |
> | pwconv creates shadow from passwd and an optionally existing shadow.
> | pwunconv creates passwd from passwd and shadow and then removes
> | shadow. grpconv creates gshadow from group and an optionally exist
> | ing gshadow. grpunconv creates group from group and gshadow and then
> | removes gshadow.
> |
> | Each program acquires the necessary locks before conversion.
> |
> | pwconv and grpconv are similiar. First, entries in the shadowed file
> | which don't exist in the main file are removed. Then, shadowed
> | entries which don't have `x' as the password in the main file are
> | updated. Any missing shadowed entries are added. Finally, passwords
> | in the main file are replaced with `x'. These programs can be used
> | for initial conversion as well to update the shadowed file if the
> | main file is edited by hand.
> |
> | pwconv will use the values of PASS_MIN_DAYS, PASS_MAX_DAYS, and
> | PASS_WARN_AGE from /etc/login.defs when adding new entries to
> | /etc/shadow.
> |
> | Likewise, pwunconv and grpunconv are similiar. Passwords in the main
> | file are updated from the shadowed file. Entries which exist in the
> | main file but not in the shadowed file are left alone. Finally, the
> | shadowed file is removed.
> |
> | Some password aging information is lost by pwunconv. It will convert
> | what it can.
> |
> | _______________________________________________
> | TriLUG mailing list
> | http://www.trilug.org/mailman/listinfo/trilug
> | TriLUG Organizational FAQ:
> | http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>
> - --
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE9xr1BvoVlxVBmgsURAhdRAKCQtnKd8o7vztR+NR8fQdoHYTJicwCfa4er
> jwB8Oou6bHtdw0KOdD6d59s=
> =mbaS
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
More information about the TriLUG
mailing list