COHERENT manpages

This page displays the COHERENT manpage for shadow [File that holds restricted passwords].

List of available manpages
Index

shadow -- System Administration

File that holds restricted passwords
/etc/shadow

COHERENT stores information  in file /etc/passwd. This file identifies each
user, gives her home directory, default  shell, and base group.  It must be
universally readable so that it can be used by programs like ls, which must
translate user-identification numbers into login identifiers.

In  general, this  system works  well; however,  it does  create a  hole in
system security.   If users' encrypted  passwords are kept  in /etc/passwd,
which  is  universally  readable, a  ``cracker''  can  read the  passwords,
decypher some  of them  with brute-force  methods, and then  log in  as the
users whose passwords she cracked.

To  plug that  hole  in system  security,  UNIX implemented  the method  of
``shadow'' passwords.  In this  scheme, a user's login information is still
kept in  /etc/passwd; however,  the encrypted passwords  (plus supplemental
information) is kept  in the file /etc/shadow, which can  be read only by a
process with root-level permissions.

The shadow password file contains one entry per user.  Each user identified
in /etc/shadow must have an entry in /etc/passwd. The opposite is not true,
but  a  user  described in  /etc/passwd  who  does  not  have an  entry  in
/etc/shadow cannot log into your system.  Each entry in /etc/shadow is laid
out  exactly  the  same  as  file  /etc/passwd. At  present,  the  COHERENT
implementation  of  login uses  only  the name  and  password fields.   For
details, see the Lexicon entry for passwd.

Reading /etc/shadow

COHERENT includes four functions with  which a program can read the shadow-
password file /etc/shadow:

endspent()
     Close /etc/shadow after reading from it.

getspent()
     Read the next  record from /etc/shadow. If a process  has not yet read
     /etc/shadow, it returns the first record.

getspnam()
     Return the first record for the user with a given login identifier.

setspent()
     Return the seek pointer for /etc/shadow to the beginning of the file.

Functions  getspent() and  getspnam() return  a pointer  to an  object with
structure spwd, which gives an analogue for each field in /etc/shadow. This
structure is  defined in header file <shadow.h>.  For details on this
structure, see the Lexicon entry for shadow.h.

See Also

Administering COHERENT,
login,
shadow.h

Notes

For details of  how the program login uses shadow  passwords, see its entry
in the Lexicon.