System Administration

Where and how are passwords stored on Linux?

The user name with a corresponding password for a specific account is the primary requirement through which a user can access a Linux system. All user’s accounts password is saved in a file or a database so that a user can be verified during the login attempt into the system. Every user does not have enough skills and expertise to locate this file on their system. However, if you get access to the database or a file that keeps all the login user’s passwords, then you can easily access the Linux system. When a user enters a username and password on Linux for login, it checks the entered password against an entry in various files of the ‘/etc’ directory.

The /etc/passwd files keep all the important information that is necessary for user login. To explain it in simpler words, the /etc/passwd file stores the user’s account details. This file is a plain text file that contains a complete list of all users on your Linux system. It has the information about username, password, UID (user id), GID (group id), shell, and home directory. This file should have read permissions as many command-line utilities are used to map the user IDs to the user name. But, should have limited write access permissions only for superuser or root user accounts.

This article will demonstrate how and where you can store system user’s account passwords on Linux distribution. We have implemented all demonstrations on Ubuntu 20.04 system. However, you can find /etc/passwd file on any Linux distribution.

Pre-requisites

You should have root privileges to run administrative commands.

Basic Understanding about /etc/passwd File

The /etc/passwd file contains the information about the user account of your system. All stored fields are separated from the colon “:” sign.
When you run the following command, you will see each file entry of /etc/passwd file:

$ cat /etc/passwd

The above command will list all users of your Linux system.
The following type of format will display on your terminal screen:

Details about /etc/passwd fields Format
From the above image:

Username: Field one represents the user’s name. The length of the username field is defined between 1-32 characters. This is used when a user logs in into the system. In the above example, ‘khuzdar’ is the username.
Password: In the above example, the “x” character shows that password is stored in encrypted form in the /etc/shadow file.
User ID (UID): User ID must be separately assigned to each user. The UID zero is assigned to the root user, and User IDs from 1-99 are assigned to predefined or standard accounts. The further UIDs from 100-999 are assigned to system administrative accounts or groups. In the above screenshot, the user ID is 1001.
Group ID (GID): The next field represents the group ID. The GID is stored into /etc/group file. Based on the above example, the user belongs to the group id 1001.
Information about User ID: The following field is intended for comments. In this field, you can add some additional information about the specified user, such as the user’s full name, phone number, etc. However, in the above example, no phone number is provided by the user.
Home directory: This field shows the location of the home directory that is assigned to the current user. If the specified directory does not exist, then it will display “/”. The above image shows the location of the highlighted user in the home directory, which is home/kbuzdar.
Command//shell: The default absolute path of a shell or command is /bin/bash. This is known as the shell. For example, sysadmin using the nologin shell. It behaves as the replacement shell for the system user accounts. If the shell is located at the path to /sbin/nologin and the user wants to log in directly to the Linux system, the /sbin/nologin shell will close or disable the connection.

Search user in /etc/passwd file

You can search for a specific user with /etc/passwd file, using the grep command. For example, we want to search the username ‘kbuzdar’ from the /etc/passwd file, using the following syntax, then we can easily search a specified user, saving our time:

$ grep user-name /etc/passwd

The above syntax will change into the following shape:

$ grep kbuzdar /etc/passwd


Or

$ grep -w '^kbuzdar' /etc/passwd

Display permissions on /etc/passwd file

As we mentioned above, all other users, except root, should be able to read permission on the /etc/passwd file, and that the owner must be superuser or root.
Type the following to check the read permissions on the file:

$ ls -l /etc/passwd

The following output sample will be displayed on the terminal:

Reading /etc/passwd file

You can read the /etc/passwd file on your Linux system by using the following bash script or directly run what’s written below while loop commands on the terminal.
Create a text file and paste the following code in it:

#!/bin/bash
# total seven fields from /etc/passwd stored as $f1,f2...,$f7

while IFS=: read -r f1 f2 f3 f4 f5 f6 f7
do
 echo "User $f1 use $f7 shell and stores files in $f6 directory."
done < /etc/passwd

Using the while loop, it will read all seven fields and then iteratively display the file content on the terminal.
Save the above file with the name ‘readfile.sh’.

Now, run the above file by using the following command:

$ bash readfile.sh

Explore /etc/shadow file

The /etc/shadow file contains all your encrypted passwords that are stored in this file that are only readable for root users.
Let’s run the following command to display the content:

$ sudo cat /etc/shadow

You can see all the password in the encrypted format:

Conclusion

We have seen from the above article, all the user’s account details and passwords stored on /etc/passwd file in the Linux system. You can read this file, but only root users have the “write permissions”. Moreover, we have also seen all the encrypted passwords stored on the /etc/shadow file. You can also explore /etc/group file to get details about the user’s group.

About the author

Karim Buzdar

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.