In Linux/Debian, did the passwords (/etc/passwd) ever been stored as plain text?
Solution 1
From "Password Security: A Case History", by Robert Morris and Ken Thompson (1979) ( http://www.cs.yale.edu/homes/arvind/cs422/doc/unix-sec.pdf ), quoted from the prologue:
The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason the password file had to be heavily protected against being either read or written.
So yes, originally, the password file contained actual passwords
EDIT
This was in UNIX. Even by the time the above referenced paper came out, it was seen as a bad idea. Since Debian is post-1991, it would be ludicrous to assume or believe that the Linux distro would have enabled password files without even crypt protection.
It is far more likely that initial versions of the Debian passwd suite used non-shadowed passwords, which would have stored the encrypted passwords in /etc/passwd itself. The mechanism used back then would have been 'crypt', which is mathematically simpler to compute than the current practice of using md5 (although other options are available).
If you get a chance, pick up the Linux Pro Magazine's "Shell Handbook" edition. I've got a 4 page article on command-line user manipulation, and I talk about the history of UNIX password security.
Solution 2
I've been a Unix SysAdmin since 1992, well before we had /etc/shadow.
Before /etc/shadow, /etc/passwd entries looked something like this:
user:XDjfiejfiejf:1001:1001:Joe User:/home/user:/bin/sh
The second field was the encrypted (not hashed) password entry for the user. Just as it is today, /etc/passwd had permission settings of 644, meaning everyone could read the file. /etc/passwd needs to be world-readable so that (for example) a program can convert a User ID into a Username.
But that also made it possible for a brute-force attack to figure out a users password without actually trying to log in -- just keep encrypting different strings, and when the attack program's encrypted result was the same as the string stored in /etc/passwd, bingo, you've got the users password.
Thus was born /etc/shadow. Now the second field of the /etc/passwd file is simply '*', and the encrypted password is stored in /etc/shadow, which has its permissions set to 640 (or sometimes 600) -- meaning you need privileges to even read the encrypted string. No more brute-force attack.
Solution 3
If you are really curious about Debian all the original packages can be found here (http://archive.debian.org/debian/).
From what I can tell by looking at the Packages file the shadow tools where added in 1.3. A quick look at the 1.1 source for login-utils which is one of the earliest releases shows up as using the old crypt() function which I believe used Triple DES.
Related videos on Youtube
09 : 36
12 : 46
03 : 47
21 : 49
03 : 19
Admin
Updated on September 17, 2022Comments
-
Admin over 1 year
Someone is telling me so and I have some doubt but I can't find any information on the web.
-
user1364702 about 14 yearsThere were non-shadowed passwords in Linux because I remember in the cobwebby corners of my recollection when the switch was made and wondering why the fields in /etc/passwd had changed.
-
Matt Simmons about 14 years@Bart: Yeah, it looks like the Shadow suite was ported to Linux in '92, which means it probably wouldn't have hit most distros for a little while
-
Matt Simmons about 14 yearsAlso, it looks like Slackware went without Shadow until at least 3.0 (slackware.osuosl.org/slackware-3.3/docs/Shadow-Password-HOWTO)
-
user1364702 about 14 years@Matt: That long ago it was ported? I was thinking it was close to '94 or so that I remembered it cropping up. But that could be too. The distros were a little different in nature back then. I remember some of the arcana of getting X to work, and most of the time staying in virtual consoles. I feel old even though supposedly I'm not...wow...
-
user1364702 about 14 years@Matt: To FVWM or not to use FVWM...that used to be the big question :-)
-
Matt Simmons about 14 yearsDreur: Thanks - @Bart: Seriously. Though I feel old because I've been using the same desktop interface for 10 years (windowmaker)
-
user1686 about 14 yearsAre you sure that was really "encryption"? AFAIK,
crypt()had never used reversible algos... -
Julie in Austin almost 10 yearsShadow predates the existence of Linux by a number of years. The original code was written for SCO Xenix. I did a few other ports between '87 and '92, then heard about Linux from a co-worker. By that time, shadow had been packaged with some of the earliest distros. From fuzzy memory, it was just the original sources off of UUNET or Usenet. Bart is right -- distros in the earliest days were totally different. A lot more compiling was required, there were no package managers and usually a "package" was just a tarball that had to be built or extracted manually.
-
user2968902 over 8 yearsThat's still properly called a hash, even if implemented using a cypher.
