Where are passwords stored?

password ldap pam

Passwords aren't stored themselve. They are transformed by a function, and the so produced value, which is called hash, is stored.

If you login, the same function is performed on your input, and the generated value compared with the one in the stored value in the /etc/shadow file.

The function is of a kind, which is hard to invert. So with the value in /etc/shadow, you can not calculate the original password, and the key in there is not helpful for login - you need the password.

With brute force, you can try to generate such a password, and for common names like 123456, password, asdf, secret, 1111 and so on, the shadow-values are already well known, and stored in so called rainbow-tables.

To prevent attacks with rainbow-tables, the password-function can use a salt, which influences the result, which means that every password uses a different salt, stored in the first two bytes of the password hash string (thanks to psusi, who corrected me), so that you would need a different rainbow-table for every password, which is not very practical - it takes too long to generate them, and is expensive.

I'm not sure, whether ubuntu uses a salt. We can wait for somebody who explains it to us, or you could generate the same user with the same password on two machines, and compare the value in /etc/shadow.


The passwords (or better hashes) are most probably stored in the LDAP server. "Most probably" means that you could have a very strange setup where they are not. LDAP configuration is very flexible, but that also means that without inspecting the config files a clear answer on how it is done in your situation cannot be given. You probably have looked into /etc/ldap.conf on the client for details of the configuration?

One possible setup for LDAP authentication is like this: the client box takes username and password from the login, and performs a bind to the LDAP server with this information. The LDAP server verifies username & password and either returns success or failure. In this setup, the client box never sees the stored password hash from the LDAP server.

Do you know the type of LDAP server used? Whether you can see the hashed user passwords depends on the setup of the LDAP server. See as an example http://www.faqs.org/docs/securing/chap26sec213.html on what you could configure on an OpenLDAP server.

The answer on password hashing from "user-unknown" is correct, it is only that the hashes are not stored in /etc/shadow but in the LDAP server. The hashing itself might also be performed by the LDAP server and not the client box.

Related

Install package from without adding PPA
How do I hide the location indicator in Ubuntu GNOME?
Confused about grep and the * wildcard
Refind not working on dual boot macos/ubuntu
gedit - show file path for recently opened files
How do I set Deluge as default Torrent client?
Grub2 points to the wrong harddisk after installing one more harddisk
gdb cannot run due to python error
Error when running gtk-redshift
Ubuntu 14.04 in an OpenVZ container: apt trying to upgrade the kernel
How to disable the password prompts?
Nautilus-Actions only show context option for file not folder