Adding and Removing Users: The account information (users and group) are controlled by 2 files on a typical UNIX workstation. They are: /etc/passwd /etc/group The password file (/etc/passwd) contains a series of lines, each describing one account. Each line in the file has 7 fields, each separated by a colon (":"). An example is: root:DFkS2oDEJxgmY:0:0:Super User:/:/bin/sh The fields correspond to the following: Field 1: Login name: root Field 2: Encrypted password: DFkS2oDEJxgmY Field 3: UID (User ID): 0 Field 4: GID (Group ID): 0 Field 5: GECOS (Real name): Super User Field 6: Home directory: / Field 7: Shell: /bin/sh A login name can only be used once in the password file, but everything else (including the important field --- the UID), can be reused. The encrypted password is produced using the crypt(3) function. It takes 2 arguments: the string to encrypt and a "salt". The salt is returned as the first 2 characters of the encrypted string. To experiment, you can use the perl crypt function: $ perl -e 'print crypt("password", "DF"), "\n"' DFkS2oDEJxgmY this produced at crypt string for the password "password" using the salt "DF". The procedure that login programs use for checking passwords is: 1. Ask for a login name 2. Check that the login name specified is valid 3. Get the crypt string from the passwd file 4. If the crypt string is empty, allow the user to log in, otherwise ask for a password. 5. Run crypt on the given password, using the first 2 characters from the crypt string as the salt 6. If the crypt-ed version of the given password matches the stored version, allow the user to log in In Bourne shell, you could write a simple login program as follows: #! /bin/sh # Change this to something in your home directory to # try this script out PASSWDFILE=/etc/passwd # Ask the user for a login name echo -n "Login: " read login # If the login doesn't exist in the password file, stop grep "^$login:" $PASSWDFILE >/dev/null 2>&1 if test "$?" != 0 then echo "Login not found. Try again." exit 1 fi # Get the crypt string from the password file crypt_string=`awk -F: '$1 == login { print $2 }' login=$login $PASSWDFILE` # If it is empty, let them in if test "$crypt_string" = "" then echo "Welcome." exit 0 fi # Prompt them for a password echo -n "Password: " stty -echo read password stty echo echo "" # Extract the salt from the passwd file crypt string salt=`echo $crypt_string | cut -c-2` # Generate a crypt string for the password the supplied (using # the extracted salt comparison=`perl -e "print crypt(\"$password\", \"$salt\")"` # If the crypt strings match, let them in, otherwise, tell them # that they don't match. if test "$crypt_string" = "$comparison" then echo "Password matches. Welcome." exit 0 else echo "Password does not match. Try again." exit 2 fi The group file has a similar format, but it only has 4 fields. An example entry is: root:*:0: These fields correspond to: Field 1: Group name: root Field 2: Password: * Field 3: Group ID (GID): 0 Field 4: Members: For a given login, that login belongs to the following groups: 1. The group specified by the GID field in /etc/passwd 2. Any group in /etc/group where that login name is in the member list. The group specified by a users GID is called the users primary group. This is the group that shells use as the default group. The shells use this feature to set file access control statistics (for example: what group a file is created with). The optional password field in the group entry allows members who aren't listed in the member list to set their group to that group. They will be challenged with a password, and if they supply it correctly, they will be allowed to change their group. The GID of a shell is changed with the newgrp(1) command. Odds and Ends: Because of the algorithm that crypt uses, no password can encrypt to a single character, or to an asterisk ("*"). For this reason, to prohibit logins, or to disable a password, administrators will put a "*" in the password entry. On our desktop machines, you will notice that your login name isn't listed in the password file (nor is your group listed in the group file). We will learn more about this when we talk about NIS, but the entries that begin with a "+" are what make your logins available to the machine. Systems may allow the administrator to tune the resources that can be used to provide login and group information (for example, by letting the admin use NIS for login information). On most systems, that is controlled by the /etc/nsswitch.conf file. We will learn more about this later. When the encrypted passwords are listed in /etc/passwd, users of the system are able to run "brute-force" password cracking applications. These applications just try possible passwords and crypt them. These crypt strings are then compared to those in the password file until one is found to be correct. For this reason, a concept called shadowed passwords was introduced. Under this scheme, the password entries in the /etc/passwd file contain an "x" wherever the admin would like the system to put the real crypt string in the /etc/shadow file. This allows users to look at the password file to get information about the accounts (finger uses this file, for example), but keeps them from seeing the crypt string. We use this scheme for the essential accounts on our systems (the root account, etc).