In Linux/Debian, did the passwords (/etc/passwd) ever been stored as plain text?
Someone is telling me so and I have some doubt but I can't find any information on the web.
Solution 1:
From "Password Security: A Case History", by Robert Morris and Ken Thompson (1979) ( http://www.cs.yale.edu/homes/arvind/cs422/doc/unix-sec.pdf ), quoted from the prologue:
The UNIX system was first implemented with a password file that contained the actual passwords of all the users, and for that reason the password file had to be heavily protected against being either read or written.
So yes, originally, the password file contained actual passwords
EDIT
This was in UNIX. Even by the time the above referenced paper came out, it was seen as a bad idea. Since Debian is post-1991, it would be ludicrous to assume or believe that the Linux distro would have enabled password files without even crypt protection.
It is far more likely that initial versions of the Debian passwd suite used non-shadowed passwords, which would have stored the encrypted passwords in /etc/passwd itself. The mechanism used back then would have been 'crypt', which is mathematically simpler to compute than the current practice of using md5 (although other options are available).
If you get a chance, pick up the Linux Pro Magazine's "Shell Handbook" edition. I've got a 4 page article on command-line user manipulation, and I talk about the history of UNIX password security.
Solution 2:
I've been a Unix SysAdmin since 1992, well before we had /etc/shadow.
Before /etc/shadow
, /etc/passwd
entries looked something like this:
user:XDjfiejfiejf:1001:1001:Joe User:/home/user:/bin/sh
The second field was the encrypted (not hashed) password entry for the user. Just as it is today, /etc/passwd
had permission settings of 644, meaning everyone could read the file. /etc/passwd
needs to be world-readable so that (for example) a program can convert a User ID into a Username.
But that also made it possible for a brute-force attack to figure out a users password without actually trying to log in -- just keep encrypting different strings, and when the attack program's encrypted result was the same as the string stored in /etc/passwd, bingo, you've got the users password.
Thus was born /etc/shadow
. Now the second field of the /etc/passwd file is simply '*', and the encrypted password is stored in /etc/shadow, which has its permissions set to 640 (or sometimes 600) -- meaning you need privileges to even read the encrypted string. No more brute-force attack.
Solution 3:
If you are really curious about Debian all the original packages can be found here (http://archive.debian.org/debian/).
From what I can tell by looking at the Packages file the shadow tools where added in 1.3. A quick look at the 1.1 source for login-utils which is one of the earliest releases shows up as using the old crypt() function which I believe used Triple DES.