Protect authentication data

Author: ceri ceri@FreeBSD.org FreeBSD|OpenBSD

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour


Concept

To prevent attacks against system security with password cracking attacks, BSD systems keep encrypted passwords visible to system processes only. An admin should have an understanding of the location of the password database files and their proper permission sets.

Introduction

On a BSD system, user and group information is stored in a local set of password database files, namely /etc/master.passwd.

The password database contains user information such as the user's username, user id, real name, shell, etc.. This information is used by a large number of user programs such as ls(1), login(1), id(1) and so on, which need to determine and possibly display information about one or many users -- for example, running "ls -l" in /tmp may need to retrieve a number of usernames. Of course, the password database must also contain important security related information used by the system, such as the user's encrypted password hash and information required to support features such as password aging and account expiration.

In order to prevent access to the second set of information to processes that do not require it, /etc/master.passwd is readable only by the root user, and a second file, /etc/passwd, is created which contains only the first set of non-privileged information and is readable by all users.

"" # ls -l /etc/master.passwd /etc/passwd "" -rw------- 1 root wheel 3704 Jan 7 12:58 /etc/master.passwd "" -rw-r--r-- 1 root wheel 3028 Jan 7 12:58 /etc/passwd

On a heavily used system with a large number of users, repeatedly searching the flat files /etc/passwd and /etc/master.passwd can take a long time and cause performance issues on the system. Therefore, BSD systems maintain binary versions of these files for fast lookups. /etc/pwd.db is the binary version of /etc/passwd, while /etc/spwd.db is the binary equivalent of /etc/master.passwd. These files are created with the pwd_mkdb(8) command.

Since these files contain the same information as the non-binary versions, they must be similarly protected.

"" # ls -l /etc/spwd.db /etc/pwd.db "" -rw-r--r-- 1 root wheel 57344 Jan 7 12:58 /etc/pwd.db "" -rw------- 1 root wheel 57344 Jan 7 12:58 /etc/spwd.db

Maintaining the Password Databases

Note that, as the name implies, /etc/master.passwd is considered the primary source for user information on a BSD system. Therefore, if you make manual changes to /etc/passwd as documentation for other systems may suggest, your changes can be lost. In order to ensure the integrity of your password databases, only use system provided tools such as vipw(8) to maintain them. See section Create, modify and remove user accounts for information on adding and removing users and modifying the databases.

TODO: make sure we don't have redundant information between these sections. Also check or point to Change a user's default shell. Also maybe move the sections together in the book.

Practice Exercises

  1. Look at the entries for the root user in /etc/master.passwd and /etc/passwd on your system. Use the passwd(5) manual to determine which fields are not present in /etc/passwd
  2. Rebuild the binary lookup databases on your system with "pwd_mkdb /etc/master.passwd". Note that the timestamps are updated on pwd.db and spwd.db.

More information

passwd(5), pw(8), pwd_mkdb(8), vipw(8)