Where are passwords stored?

ldap pam password
31,766

Solution 1

Passwords aren't stored themselve. They are transformed by a function, and the so produced value, which is called hash, is stored.

If you login, the same function is performed on your input, and the generated value compared with the one in the stored value in the /etc/shadow file.

The function is of a kind, which is hard to invert. So with the value in /etc/shadow, you can not calculate the original password, and the key in there is not helpful for login - you need the password.

With brute force, you can try to generate such a password, and for common names like 123456, password, asdf, secret, 1111 and so on, the shadow-values are already well known, and stored in so called rainbow-tables.

To prevent attacks with rainbow-tables, the password-function can use a salt, which influences the result, which means that every password uses a different salt, stored in the first two bytes of the password hash string (thanks to psusi, who corrected me), so that you would need a different rainbow-table for every password, which is not very practical - it takes too long to generate them, and is expensive.

I'm not sure, whether ubuntu uses a salt. We can wait for somebody who explains it to us, or you could generate the same user with the same password on two machines, and compare the value in /etc/shadow.

Solution 2

The passwords (or better hashes) are most probably stored in the LDAP server. "Most probably" means that you could have a very strange setup where they are not. LDAP configuration is very flexible, but that also means that without inspecting the config files a clear answer on how it is done in your situation cannot be given. You probably have looked into /etc/ldap.conf on the client for details of the configuration?

One possible setup for LDAP authentication is like this: the client box takes username and password from the login, and performs a bind to the LDAP server with this information. The LDAP server verifies username & password and either returns success or failure. In this setup, the client box never sees the stored password hash from the LDAP server.

Do you know the type of LDAP server used? Whether you can see the hashed user passwords depends on the setup of the LDAP server. See as an example http://www.faqs.org/docs/securing/chap26sec213.html on what you could configure on an OpenLDAP server.

The answer on password hashing from "user-unknown" is correct, it is only that the hashes are not stored in /etc/shadow but in the LDAP server. The hashing itself might also be performed by the LDAP server and not the client box.

Share:
31,766

Related videos on Youtube

redman
Author by

redman

Updated on September 18, 2022

Comments

  • redman
    redman almost 2 years

    How do you figure out where are user's passwords stored, for users that can login? I know the system is using LDAP for users (username, home path, etc.), but it doesn't contain any kind of passwords. I have access to a configured machine, so how do I figure out where are passwords? (which config file?)

    • Nemo
      Nemo about 13 years
      Are you talking about the user login passwords or the user's saved passwords and keys ?
    • redman
      redman about 13 years
      User login passwords
    • psusi
      psusi about 13 years
      If you are using LDAP then that should also be where the passwords are stored. Normally they just go in /etc/shadow though.
    • redman
      redman about 13 years
      Yes it's LDAP. I see user's profile (with ldapsearch) but password is not there...
    • psusi
      psusi about 13 years
      you probably don't have access to read it.
  • Nemo
    Nemo about 13 years
    Yes, Ubuntu uses salted hashes, using SHA-512 as the hash function.
  • redman
    redman about 13 years
    I don't see any hash or plain-text password in LDAP user's entry.
  • sBlatt
    sBlatt about 13 years
    Is pam.d configured to authenticate against ldap?
  • psusi
    psusi about 13 years
    The salt is not constant for all passwords on the machine; a new one is generated for each password every time one is stored in /etc/shadow. The salt is stored in the first two bytes of the password hash string.
  • redman
    redman about 13 years
    I only know it's LDAPv3, probably OpenLDAP. In /etc/ldap.conf only uri, base and ldap_version are set/uncomment. bindpw, binddn, rootbinddn etc. are all commented.
  • HelmuthB
    HelmuthB about 13 years
    On your original question, what config files: /etc/nsswitch.conf (lines "passwd" and "shadow"), /etc/pam.d/*ldap* (lines with "pam_ldap.so"), /etc/pam.conf (probably not used), /etc/pam_ldap.conf (might not exist), /etc/ldap.conf. The default field for user passwords is "userPassword", but your setup might be different. Without the credentials of the directory administrator you might have difficulties to see this field, it is quite common practice to hide it from users.
  • randmin
    randmin over 2 years
    I started to dive into openldap today, and needed to get the hashed password to verify the hashing algorithm. Your answer helped as I figured out to use phpldapadmin to export the target user data, thus getting the hash to display.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot login into new install of OpenLDAP
LDAP/Pam: No passwd entry for user while getent passwd shows all LDAP users
SSH authentication: either SSH keys or one time password
How do I enforce a password complexity policy?
How do you set requirements (such as minimum length) on passwords?
Is it possible to change password database file(/etc/passwd) in linux?
Restrict ssh login from LDAP to users who have a /home directory
Disable password complexity check (PAM)
While trying to ssh, pam_ldap always sends the password "INCORRECT" causing bind to fail
pam_sss access denied with kerberos authentication ok