Is it possible to change password database file(/etc/passwd) in linux?

linux password authentication pam
8,979

Solution 1

You're right: /etc/passwd and /etc/shadow are consulted by pam_unix.so, which are part of PAM. At least on modern Linuxes. You could change this by patching pam_unix.so. If the manpage is to be believed, you can't change the location of the system databases.

And you really don't want to. /etc/passwd isn't just used for authentication, it's also used for (reverse) name resolution and to look up things like the user's full name, shell, et cetera. The name and location are so standardised that moving them would almost definitely break things outside of just PAM. You'd have to patch a lot more than you bargained for.

Update: If you're trying to hide the /etc/{passwd,shadow,group} files for security, don't worry about it. Security by obscurity rarely helps as a policy. Leave them where they are and tighten the rest of your policies.

Update: a possible solution

If you have some custom software you need to access a different set of user/group databases, you could make a copy of the relevant PAM and NSS modules and patch them to use your custom databases. The original unix databases stay where they are so software isn't confused, but you can set PAM and NSS to use your custom modules wherever you need to and using whatever policy makes sense to you.

Keep the unix databases essentially pristine and you have what you asked for. This is pretty much what the radius and ldap PAM/NSS modules do: they provide an additional (not replacement) source of credentials and user/group information.

Going one step further: you can go back to PAM and NSS and disable the unix database lookups altogether. Leave the files there for old software (naturally, their views of the user/group databases will be inaccurate, but at least they won't break).

Solution 2

What you're looking for is the pam_pwdfile module. On Debian/Ubuntu the package is libpam-pwdfile (not sure about RedHat derived distros).

The README included with the package explains how to use it.

Solution 3

I'm not sure if it's possible out of the box, but It's definitely possible with some hacking. In order to do this you'll need to:

  1. Tune/hack nsswitch library (/lib/libnss_files.so or libnss_db.so - check your /etc/nsswitch.conf) so it would read some other file.
  2. Tune/hack pam_unix module so it would read some other files.

Solution 4

Use NIS or LDAP to authenticate your users. Their passwords won't be stored in the /etc/{password/shadow} file(s).

Share:
8,979

Related videos on Youtube

Kristof Claes
Author by

Kristof Claes

I am Nitin :)

Updated on September 18, 2022

Comments

  • Kristof Claes
    Kristof Claes over 1 year

    Is it possible to change password database file(/etc/passwd) to some other file. How does this authentication mechanism work internally ? Does it depend on pam ?

    • Shadur
      Shadur almost 12 years
      Just want to point out that despite its name, /etc/passwd does not in fact contain the actual passwords or even the hashes -- shadowed passwords have been a de facto standard since before I started using unix two decades ago.
  • rvs
    rvs almost 12 years
    Name resolution and uid:name matching are being done by nss subsytem, which is also modular (=easy hackable). But you are partially right with it - it may break some scripts that read /etc/passwd directly instead of using libnss.
  • Simon Gates
    Simon Gates almost 12 years
    The modularity is welcome but immaterial: it means you have more code to patch, and a lot of software (especially older code) might go straight to the files. This makes for a pretty nasty worst-case scenario.
  • Shadur
    Shadur almost 12 years
    3. spend the rest of that system's lifetime dealing with the occasional breakage of random other stuff that expects /etc/passwd to exist...
  • lynxlynxlynx
    lynxlynxlynx almost 12 years
    It can also be handled by the older shadow, as not everyone is forced to use pam yet.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH authentication: either SSH keys or one time password
Disable password complexity check (PAM)
CentOS PAM unable to open /etc/pam.d/system-auth
nginx doesn't seem to recognize "auth_pam" directive
How can I use PAM to restrict telnet login by user?
How do I disable password complexity in pam
How to change expired LDAP user password under linux?
How do PAM advanced options work, exactly?
How to access Unix passwd file from Apache when using .htaccess?
How to customize telnet login prompt on linux