WEBVTT

0
00:02.300 --> 00:07.940
In this lecture we'll discuss how the Linux system performs authentication.

1
00:07.940 --> 00:20.410
There are two files of particular interest to us:  /etc/passwd and /etc/shadow. The  /etc/passwd file contains

2
00:20.420 --> 00:25.000
the basic information about each user account on the system.

3
00:25.110 --> 00:27.520
Let's see the contents of the file!

4
00:28.090 --> 00:30.350
I'm opening it using less

5
00:33.510 --> 00:38.290
Each line of the file represents a single account of type

6
00:38.310 --> 00:41.100
normal user or system user

7
00:41.100 --> 00:43.980
and there are 7 fields on each line.

8
00:43.990 --> 00:47.940
Let's take these fields one by one!

9
00:48.080 --> 00:58.400
The first field is the users log in name; the second field at the beginning of the Unix era used to contain

10
00:58.550 --> 01:00.280
an encrypted password.

11
01:00.500 --> 01:08.780
Nowadays it contains the letter X to denote that the password has been assigned but was saved in another

12
01:08.780 --> 01:09.680
file,

13
01:09.680 --> 01:18.660
the shadow file. If this second field is blank the user does not need to enter a password to log in.

14
01:18.830 --> 01:27.130
The third field is the user id, a positive integer number assigned to the user followed by the group

15
01:27.160 --> 01:33.220
id in the fourth field; the fifth field is a comment,

16
01:33.310 --> 01:42.370
sometimes it is left  blank. The next field is the user's home directory and finally the last field

17
01:42.580 --> 01:46.570
is the default shell usually set to /bin/bash

18
01:47.800 --> 01:57.190
If instead of bash you see there no login or false it means that is a system user they are not allowed

19
01:57.370 --> 02:00.060
to log into the system.

20
02:00.110 --> 02:04.000
That was the format of /etc/passwd.

21
02:04.070 --> 02:09.360
I am exiting the file by pressing on q. Let's 

22
02:09.370 --> 02:14.170
go ahead and take a look at the the format of /etc/shadow.

23
02:19.190 --> 02:20.000
This is the file.

24
02:22.520 --> 02:27.630
It stores the actual passwords of the users in an encrypted format.

25
02:27.650 --> 02:34.490
In fact there is the hash of the password with additional properties related to users' passwords like

26
02:34.620 --> 02:43.620
passport expiration dates.The /etc/passwd file world-readable and that means that any user can read

27
02:43.620 --> 02:50.850
it but the shadow file this file is only readable by the root account.

28
02:50.900 --> 02:59.390
Let's take a deeper look at the content of the shadow file; each line of the file contains 9 comma

29
02:59.390 --> 03:00.140
separated

30
03:00.170 --> 03:08.900
fields: the first field is the user name and this is how  a line in the shadow file is connected to a 

31
03:08.900 --> 03:12.800
corresponding line in the password file.

32
03:12.810 --> 03:21.800
The second field represents the password the entire string between these two columns.

33
03:21.820 --> 03:22.930
This is the password.

34
03:24.380 --> 03:33.760
Then come 7 fields related to password expiration dates like last password change, minimum and maximum

35
03:33.760 --> 03:36.060
password age and so on.

36
03:37.480 --> 03:44.950
I won't dive deeper into these but if you are interested you can find a full description of these fields

37
03:45.220 --> 03:48.210
in the man page of the shadow file: man 

38
03:48.280 --> 03:54.080
shadow. You find here a full description of each field.

39
03:57.730 --> 04:00.580
Let's get back to the shadow file.

40
04:00.730 --> 04:08.710
If the password field contains  asterisk (*) or an exclamation point (!), the user will not be able to

41
04:08.710 --> 04:12.660
log in to the system using the password authentication.

42
04:12.720 --> 04:20.510
Other logging methods like key based authentication or switching to the user are still allowed.

43
04:20.540 --> 04:26.180
This is the case of root in the latest version of Kali Linux.

44
04:26.190 --> 04:29.430
Let's take a deeper look at the password field.

45
04:32.250 --> 04:41.200
This selected field! Usually the password format is set to $ type.

46
04:41.280 --> 04:50.160
In this case  $6$salt$hashed - the type 6 

47
04:50.190 --> 04:57.510
in this case is the cryptographic hash algorithm used and can have the following values:

48
04:57.730 --> 05:12.720
1 means MD5; 2a means blowfish; 2Y means Eksblowfish; 5 means Sha 256 and 6

49
05:12.720 --> 05:17.230
- this case - means Sha 512.

50
05:17.290 --> 05:25.530
Then comes the salt, this part, and then the hash of the password and the salt together,

51
05:25.560 --> 05:38.650
this part. This is the hash calculated using in this case SHA 512 which is an extremely strong algorithm.

52
05:38.700 --> 05:43.050
Let me tell you a few words about the salt, this field

53
05:43.050 --> 05:52.540
in this example. A salt combined with the password is added to the hashing process to enforce the uniqueness

54
05:52.630 --> 06:00.370
of the output hash or in other words the same password will give different hashes because of this random

55
06:00.370 --> 06:01.770
salt.

56
06:01.790 --> 06:10.410
This mitigates password attacks like rainbow tables. The salt is randomly generated for each password

57
06:10.630 --> 06:18.430
but it's not secret like the password is. If through having the hash an attacker can find the clear

58
06:18.430 --> 06:26.530
text password all the other similar passwords, of other users, are still secure because their hash

59
06:26.530 --> 06:35.410
is different. To make it crystal clear let me show you an example. I'm exiting the shadow file by pressing

60
06:35.410 --> 06:44.260
on Q and I'll create two user accounts they will have the same password. I'm creating the first user

61
06:44.320 --> 06:56.130
named User 1 and then set its password to test; useradd user1. The user was created. Let's set its password

62
06:56.130 --> 07:08.920
to test: password user1 and I'm typing test 2 times; let's create the second user named User 2

63
07:09.370 --> 07:22.340
with the same password test: useradd user passwd user2 and I'm typing test 2 times.

64
07:26.070 --> 07:33.950
Now let's check the hashes in the shadow file. I am pointing out the last 10 lines.

65
07:38.570 --> 07:47.520
These are the lines related to the users I've just created and we notice that even though both users

66
07:47.640 --> 07:56.850
have the same password, the saved hash is different, it is unique. It's because it has computed the hash using

67
07:56.850 --> 08:02.450
both the common password and the salt which is unique for each user.

68
08:02.570 --> 08:09.590
Now if a hacker manages to find the password of the first user, having the hash, the hacker doesn't

69
08:09.630 --> 08:18.330
know that the second user has the same password because there is another hash in the file. One the last

70
08:18.330 --> 08:28.170
thing I want to tell you is that these files, password and shadow, should not be edited by hand unless

71
08:28.230 --> 08:29.910
you know what you are doing.

72
08:29.910 --> 08:38.410
Always use a command that is designed for this purpose.  That's all! Now that you know where the passwords

73
08:38.530 --> 08:46.150
are stored on a Linux system I'll go ahead and show you in the next lecture how to try to crack the

74
08:46.150 --> 08:48.910
user's passwords using John Reaper.