I'm going to take a break from the high end concept stuff and focus on basics for a bit. this is just a refresher for me. but might help someone learn something they might not already know.
in this Article we are going over console log in mechanisms.
there are several things that making logging in function. Authentication modules, TTY devices, init, auto run scripts. these things can all be controlled manipulated and forged to work exactly how you like, or broken to not work at all. we will start from the very beginning, at the getty,
a getty is a terminal program that sets the communication between the kernel and a teletype device. now in the old days a teletype device typically meant a serial connection to a dumb terminal. however now days it is typically a console on your own box, and can be switched between with [ALT]+[a number key]. the init system creates the consoles then assigns a getty program to each one. allowing for the getty program to ask for login information. and giving access to the TTY if a user is authenticated. once the user logs out the TTY is destroyed, and the getty respawns.
inittab is the configuration setup for the init system, the init system is way the system starts and stops the whole of the system. there are many different types of init systems. Altho we are only concerned about the SYS V. which most Linux distros use. or a offset there of.
here is a standard inittab file showing the getty lines.
# TERMINALS
c1:12345:respawn:/sbin/agetty 38400 tty1 linux
c2:2345:respawn:/sbin/agetty 38400 tty2 linux
c3:2345:respawn:/sbin/agetty 38400 tty3 linux
c4:2345:respawn:/sbin/agetty 38400 tty4 linux
c5:2345:respawn:/sbin/agetty 38400 tty5 linux
c6:2345:respawn:/sbin/agetty 38400 tty6 linux
each line can be broken down like this
console name : init level for this console to exist on : what to do with the agetty problem when it stops : the getty command. in this example the getty program is agetty. it has a baud of 38400 bytes, uses the tty number next to it and the terminal is linux.
that pretty much covers all you need to know about getty. it is a pretty straight forward system.
From here it gets complicated. with shadow, nsswitch, and PAM working together to store, pull, translate, and manipulate how usernames, and passwords are stored, and accessed. and nscd caching it all for speed boosts. what makes it worse is that all or parts of these systems may be missing, or not used. or might need to be turned off to better handle change.
let us start with shadow. which is a set of utils and libraries used for user and password database control through a secure method. in the old days of linux this system was not even an option. all passwords were stored encrypted in enigma, in the passwd file in the /etc/ directory. it was highly insecure. as any user could read this file. and with a program that could brute force those passwords you could gain access to many of the users in a system. or even worse. see what users didn't have a password. now days that is not an issue. as even the most basic linux distro uses the shadow system. which still has /etc/passwd for some information, but also has /etc/shadow sto store the passwords them selves.
the format of the passwd file is pretty straight forward, however even tho you CAN manipulate this file directly it is not advisable to do so, instead you should use the programs useradd, userdel & usermod each of which has a man page that full describes the switches for each command. there are other commands you can also use and many third party utilities.
the format of passwd is as such
whytewolf:x:10000:505::/var/www/vhosts/whytewolf.us:/bin/false
the first field is the users login name. for many years this was limited to 8 charaters. and the system would break in interesting ways if you went over this limit, however in modern times this is not the case. however some UNIX systems still do have this 8 character limit. the second field is the password, however now days this is normally x meaning the password is located in the shadow file. next is the users UID, or user id number. the number the system uses for all tasks that belong to the user. next is the users default group. this is the main group of the user. next in this example is blank, however this is the "Extra info" field, used for storing name, room number, phone number and pretty much all the details you feed it. the next field is users home directory. used for when the login through what ever means the directory they start in. and the directory you get when you use the tilda with a users name such as ~whytewolf. and finally the users shell, the program that is started when a user logs in successfully. however in this case the shell is /bin/false which the only action of is to return false. which logs the user out immediately. this normally means the user has ftp access only.
the format of shadow is as such
whytewolf:this is a highly encrypted hash password no longer using enigma:15474:0:99999:7:::
The first field is again the users name. this is to link it to the same user in the passwd file, since all searches are done with this field, in both passwd and shadow. next is the actual password. tho in this example i have put it into plan text it normally is a highly encrypted hash either md5, sha1, sha256 or any other method that you feel works, and is defaulted in the login.defs file, or in PAM, or both. you can specify a per user password hash also, the format typically used when a password is used is $hashid$salt$encryptedpassword
man 3 crypt for a list of the hash ids. this field can also contain ! for no password, * for locked account, and !! for expired password. the next field is the number of seconds from the last password change. next is the days before change is allowed, after that is days before change required. after that is days to warn before expired. next is days before account is inactive, after that is days since epoch when account expires, and last is reserved. honestly as long as you use the tools this won't be a problem.
Add new comment