The login names used to log in to a system are no big secret, but the
passwords should be chosen such that they are not easy to guess. Efficient
policies for constructing passwords talk about including numbers, using a
mixture of lower and upper cases, etc, when selecting a password. In this
article, we’ll talk about some of the password policies for Linux and how to
make it more secure.
How safe are Linux passwords?
All Linux passwords are stored in a single file name passwd
in /etc directory. This file stores the information in the following format:
login name:encryted password:UID: GID:GCOS:home
directory:shell
The password in this file is encrypted using a package called
crypt, which uses the DES (Digital Encryption Standard) algorithm to do it. The
UID is a numeric ID given to each user. For root it is 0. GID is also a number,
which is the primary group the user belongs to. For root it is 0. The GCOS field
contains information about the user such as his name, organization, and phone
number. This may or may not be filled. The home directory is generally
/home/
shell (bash shell in RedHat) the user is dropped in after login.
The passwd file must have the read rights for everyone. This
is because the login process for all users as well as some of the applications
that they run consults it. Unfortunately, it also means that anyone can open
this file in a simple text editor like vi and read it. This will reveal all
information like login names, group names, and most importantly the password.
Though it’s encrypted, it’s not safe from what are called dictionary
attacks. These can be performed by utilities like Crack. In a dictionary attack,
a number of passwords are generated using different permutations and
combinations and encrypted using the same cryptographic algorithm as the target,
which is DES in this case. The encrypted password can then be compared again
with the password in the /etc/passwd (since it is readable). If they match, then
the initial unencrypted word is the password. If this has started to worry you,
then calm down, because its solution has also been there for a long time. It’s
used in most Linux distributions, including RedHat, and is called the shadow
package.
The shadow suite
The shadow suite is installed by default in RedHat. It
removes the passwords from /etc/passwd and places them in a file called shadow
in the /etc directory. The password field of /etc/passwd contains an
"x" instead. The new file is readable only by the root. The shadow
suite also consists of a number of utilities and commands to add/delete users
and do password aging. The file has the following format:
user name:encrypted password:last modified:min change days:max change
days:warn days:disable days:disable time:reserved
Here, the ‘last modified’ field shows the number of days
since January 1, 1970 that the password was last modified. The ‘min change’
field indicates the number of days before which the user cannot modify his
password. This can be given a 0 value, which means that users can modify their
passwords anytime. The ‘max change’ indicates the number of days after which
a password has to be modified. A user will get a message after the specified
number of days to the password after logging in.
With ‘warn days’, you can specify how many days in
advance should a warning message be flashed to a user before his password
expires. ‘Disable days’ specifies the number of days after which the account
will be locked from the day the password has expired. ‘Disable time’ is the
same as disable days but here the number of days is counted from January 1,
1970. As you can see these additional fields can be used to impose efficient
password policies on users. It’s a good practice to warn or force users to
change their passwords periodically. Let’s use the shadow utilities to add a
user ‘shekhar’ and impose password aging on his account.
There are many who would like to believe
that Open Source software is ideally suited for a resource-challenged country like India.
Those who do so, miss the point that lies at the core of the Open Source movement. The
success of Open Source software has very little to do with the fact that it’s mostly
(though not always) without cost. While many Open Source users are attracted to it because
it’s free, almost always, they stay with it for a much better reason—Open Source
products are also better. A quick look at the list of Indian corporates who’ve
embraced Open Source solutions will drive home a pertinent point—not one of them is
on the list because they couldn’t afford a commercial solution. Free beer gone flat
never attracted anyone.
As one regular poster to the Linux-India
mailing list said: "To believe that cost is an issue with Open Source, is to
misunderstand the etymological roots of the word "Free". Indians are Free, but
Indians are not cheap". He wasn’t just waving the tricolor. He was talking
reason—pure, sound, technical reason. That he was economically right too, was
incidental.
The success of the Open Source development
model derives from the opportunities provided by the Internet. It’s commonly
acknowledged that cheap (free) Internet access in American (not to forget Finnish)
universities was the fuel that drove the movement. The corollary to this is also sadly,
true—since the bulk of Indian universities took an inordinately long time to get
connected, the list of native Indian Open Source products while growing, still remains
miniscule. What little (but commendable) development that exists here is initiated by
commercial firms porting popular Indian applications to Linux (Tally is a superb example).
The message is clear—as you sow Internet access, so shall you reap Open Source.
It’s time to reverse the trend now.
And fast. Several institutions and universities, notably the IIIT (Hyderabad), as well as
small universities like the Goa University are setting up infrastructure and facilities
for students to jumpstart local Open Source development. Short-term training
programs—like the recent ones on the Linux kernel at the IIIT and on Open source for
corporates at Goa University—are first lunges in clawing our way back into the race.
The list of speakers and resource persons at these two programs reads like a who’s
who of Indian Open Source gurus. The Advanced Center for Informatics (ACI), set up at Goa
University with generous support from the National Informatics Center (NIC) of the
Government of India, aims to promote development, and disseminate support and training for
Open Source products in India. With a firm and steady eye on the economic opportunities
presented by Open Source, the ACI even plans to set up an Open Source incubator for
student projects to help them raise venture capital. It always helps to have a bank next
to a lab.