Extra: Shadow Password File

Not Graded: This activity is not required and is not graded. It may have self-reflection questions, but they are there only for your own learning.

Software: Root access on a Linux machine is required for this activity. Root access on a Mac might work, but the instructor has not tested it.

In this activity you will be looking at the Linux shadow password file and seeing what happens when you create a new user.

Steps

1. Run: “sudo cat /etc/shadow”
2. Note that most of the entries have no passwords. These are various computer systems which have accounts on the computer for access-control reasons.
3. Find your own user.
4. Create a new user account on the machine and set its password to something easy.
5. Find the new user in the shadow file.
6. Lookup the salt code to see what algorithum your OS is using to compute the hash.
   • 6, for example, is SHA256, which has a nice online SHA256 + Salt Hash Generator
7. Compute the correct hash yourself using the salt string from the shadow file, the correct password, and a hash generator. The generator can be an online one or using a library in the language of your choice.
8. Compare what you computed to what the system has. If they don’t match, you may need to lookup the shadow password file structure for your OS version and adjust.
9. Remove the user from your system by removing the account you created.