Everyperson who uses a Unix computer should have her ownaccount. An account is identified by auserID number (UID) that is associated with one or moreusernames (also known as accountnames ).Traditionally, each account also has a secret passwordassociated with it to prevent unauthorized use. You needto know both your username and your password to log into a Unixsystem.
The username is an identifier: it tells the computer who you are. Incontrast, a password is an authenticator: youuse it to prove to the operating system that you are who you claim tobe. A single person can have more than one Unix account on the samecomputer. In this case, each account would have its own username.
Standard Unix usernames may be between one and eight characters long,although many Unix systems today allow usernames that are longer.Within a single Unix computer, usernames must be unique: no two userscan have the same one. (If two people did have the same username on asingle system, then they would really be sharing the same account.)Traditionally, Unix passwords were also between one and eightcharacters long, although most Unix systems now allow longerpasswords as well. Longer passwords are generally more secure becausethey are harder to guess. More than one user can theoretically havethe same password, although if they do, that usually indicates thatboth users have picked a bad password.
A username can be any sequence of characters you want (with someexceptions), and does not necessarily correspond to a realperson’s name.
Tip
Some versions of Unix have problems with usernames that do not startwith a lowercase letter or that contain special characters such aspunctuation or controlcharacters. Usernames containing certain unusual characters will alsocause problems for various application programs, including somenetwork mail programs. For this reason, many sites allow onlyusernames that contain lowercase letters and numbers and furtherrequire that all usernames start with a letter.
Your username identifies you to Unix in the same way that your firstname identifies you to your friends. When you log into the Unixsystem, you tell it your username in the same way that you might say,“Hello, this is Sabrina,” when youpick up the telephone.[31] Most systems use thesame identifier for both usernames and email addresses. For thisreason, organizations that have more than one computer often requirepeople to use the same username on every machine to minimizeconfusion.
There is considerable flexibility in choosing a username. Forexample, John Q. Random might have any of the following usernames;they are all potentially valid:
| john |
| johnqr |
| johnr |
| jqr |
| jqrandom |
| jrandom |
| random |
| randomjq |
Alternatively, John might have a username that appears totallyunrelated to his real name, like avocado ort42. Having a username similar to your own nameis merely a matter of convenience.
Tip
In some cases, having an unrelated name may be a desired featurebecause it either masks your identity in email and online chat rooms,or projects an image different from your usual one:tall62, fungirl,anonymus, svelte19, andrichguy. Of course, as we noted in the lastchapter, “handles” thatdon’t match one’s real name canalso be used to hide the true identity of someone doing somethingunethical or illegal. Be cautious about drawing conclusions aboutsomeone based on the email name or account name that they present.
Most organizations require that usernames be at least threecharacters long. Single-character usernames are simply too confusingfor most people to deal with, no matter how easy you might think itwould be to be user i or x.Usernames that are two characters long are also confusing for somepeople, because they usually don’t provide enoughinformation to match a name in memory: who waszt@ex.com, anyway? In general, names with littleintrinsic meaning, such as t42xp96wl, can alsocause confusion because they are more difficult for correspondents toremember.
Some organizations assign usernames using standardized rules, such asthe first initial of a person’s first name and thenthe first six letters of their last name, optionally followed by anumber. Other organizations let users pick their own names. Someorganizations and online services assign an apparently random stringof characters as the usernames; although this is generally notpopular, it can improve security—especially if these usernamesare not used for electronic mail. Although some randomly generatedstrings can be hard to remember, there are several algorithms thatgenerate easy-to-remember random strings by using a small number ofmnemonic rules; typical usernames generated by these systems arexxp44 and acactt. If youdesign a system that gives users randomly generated usernames, it isa good idea to let people reject a username and ask for another, lestsomebody gets stuck with a hard-to-remember username likexp9uu6wi.
Unix also has special accounts that are used for administrativepurposes and special system functions. These accounts are notnormally used by individual users.
Afteryou tell Unix who you are, you must prove your identity to a certaindegree of confidence (trust). This process is calledauthentication. Classically, there are threedifferent ways that you can authenticate yourself to a computersystem, and you use one or more of them each time:
You can tell the computer something that you know (for example, apassword).
You can present the computer with something you have (for example, acard key).
You can let the computer measure something about you (for example,your fingerprint).
None of these systems is foolproof. For example, by eavesdropping onyour terminal line, somebody can learn your password. By attackingyou at gunpoint, somebody can steal your card key. And if yourattacker has a knife, you might even lose your finger! In general,the more trustworthy the form of authentication, the more aggressivean attacker must be to compromise it. In the past, the mosttrustworthy authentication techniques have also been the mostdifficult to use, although this is slowly changing.
Passwords are the simplest form ofauthentication: they are a secret that you share with the computer.When you log in, you type your password to prove to the computer thatyou are who you claim to be. The computer ensures that the passwordyou type matches the account that you have specified. If it matches,you are allowed to proceed.
Unix does not display your password as you type it. This gives youextra protection if the transcript of your session is being logged orif somebody is watching over your shoulder as you type—atechnique that is sometimes referred to as shouldersurfing .
Why Authenticate?
Traditionally desktop personal computers running the Windows orMacintosh operating systems, handheld computers, and personalorganizers did not require that users authenticate themselves beforethe computer provided the requested information. The fact that thesecomputers employed no passwords or other authentication techniquesmade them easier to use.
Likewise, many of the research groups that originally developed theUnix operating system did not have passwords for individualusers—often for the same reason that they shied away from lockson desks and office doors. In these environments, trust, respect, andsocial convention were very powerful deterrents to information theftand destruction. When computer systems required passwords, oftentimes many people shared the samepassword—password, for example.
Unfortunately, the lack of authentication made these computers easierfor many people to use—this included both themachine’s primary user and anybody else who happenedto be in the area. As these systems were connected to modems orexternal networks, the poor authentication practices that had grownup in the closed environment became a point of vulnerability,especially when other systems based their trust on the authenticityof the identity determined locally. Vulnerabilities frequently led tosuccessful attacks. There have been many cases in which a singleeasily compromised account has endangered the security of an entireinstallation or network.
In today’s highly networked world, properauthentication of authorized users is a core requirement of anycomputer that is trusted with confidential information. The challengethat computer developers now face is to produce systems that providestrong authentication while simultaneously providing ease of use.
Conventional passwords have been part of Unix since its early years.The advantage of this system is that it runs without any specialequipment, such as smartcard readers or fingerprint scanners.
The disadvantage of conventional passwords is that they are easilycaptured and reused—especially in a network-based environment.Although passwords can be used securely andeffectively, doing so requires constant vigilance to make sure thatan unencrypted password is not inadvertently sent over the network,allowing it to be captured with a passwordsniffer. Passwords can also be stolen if they are typed on a computerthat has been compromised with a keystroke recorder. Today, evenunsophisticated attackers can use such tools to capture passwords.Indeed, the only way to safely use a Unix computer remotely over anetwork such as the Internet is to use one-time passwords,encryption, or both (see Section 4.3.3 later in this chapter andalso see Chapter 7).[32]
Unfortunately, we live in an imperfect world, and most Unix systemscontinue to depend upon reusable passwords for user authentication.Be careful!
Whenyou log in, you tell the computer who you are by typing your usernameat the login prompt (the identification step).You then type your password (in response to the password prompt) toauthenticate that you are who you claim to be.For example:
login: rachelpassword: luV2-fred
Unix does not display your password when you type it.
If the password that you supply with your username corresponds to thepassword that is on file for the provided username, Unix logs you inand gives you full access to the user’s files,commands, and devices. If the username and the password do not match,Unix does not log you in.
On some versions of Unix, if somebodytries to log into an account and supplies an invalid password severaltimes in succession, that account will become locked. A lockedaccount can be unlocked only by the system administrator. Locking hasthree functions:
It protects the system from attackers who persist in trying to guessa password; before they can guess the correct password, the accountis shut down.
It lets you know that someone has been trying to break into youraccount.
It lets your system administrator know that someone has been tryingto break into the computer.
If you find yourself locked out of your account, you should contactyour system administrator and get your password changed to somethingnew. Don’t change your password back to what it wasbefore you were locked out.
The automatic lockout feature can prevent unauthorized use, but itcan also be used to conduct denial of service attacks, or by anattacker to lock selected users out of the system so as to preventdiscovery of his actions. A practical joker can use it to annoyfellow employees or students. And you can accidentally lock yourselfout if you try to log in too many times beforeyou’ve had your morning coffee.
In our experience, the disadvantages of indefinite automatic lockoutsoutweigh the benefits. A much better method is to employ anincreasing delay mechanism in the login. After a fixed number ofunsuccessful logins, an increasing delay can be inserted between eachsuccessive prompt. Implementing such delays in a network environmentrequires maintaining a record of failed login attempts, so that thedelay cannot be circumvented by an attacker who merely disconnectsfrom the target machine and reconnects.
Youcan change your password with the Unixpasswd command. You will first be asked totype your old password, then a new one. By asking you to type yourold password first, passwd prevents somebodyfrom walking up to a terminal that you left yourself logged into andthen changing your password without your knowledge.
Unix makes you type the new password twice:
% passwdChanging password for sarah.Old password:tuna4fis New password: nosSMi32 Retype new password: nosSMi32%If the two passwords you type don’t match, yourpassword remains unchanged. This is a safety precaution: if you madea mistake typing the new password and Unix only asked you once, thenyour password could be changed to some new value and you would haveno way of knowing that value.
Note
On systems that use Sun Microsystems NIS or NIS+, you may need to use thecommand yppasswd or nispasswd tochange your password. Except for having different names, theseprograms work in the same way as passwd.However, when they run, they update your password in the networkdatabase with NIS or NIS+. When this happens, your password will beimmediately available on other clients on the network. With NIS, yourpassword will be distributed during the next regular update.
The -r option to the passwdcommand can also be used underSolaris. To change NIS orNIS+ passwords, the format would be passwd -rnis or passwd -r nisplus,respectively. It is possible to have a local machine password that isdifferent from the one in the network database, and that would bechanged with passwd -r files.
Even though passwords are not echoed when they are printed, theBackspace or Delete key (or whatever key you have bound to the“erase” function) will still deletethe last character typed, so if you make a mistake, you can correctit.
Once you have changed your password, your old password will no longerwork. Do not forget your new password! If youforget your new password, you will need to have the systemadministrator set it to something you can use to log in and tryagain.[33]
If your system administrator gives you a new password, immediatelychange it to something else that only you know! Otherwise, if yoursystem administrator is in the habit of setting the same password forforgetful users, your account may be compromised by someone else whohas had a temporary lapse of memory; see Password: ChangeMe for an example.
Warning
If you are a system manager and you need to change auser’s password, do not change theuser’s password to something likechangeme or password, and thenrely on the user to change their password to something else. Manyusers will not take the time to change their passwords but will,instead, continue to use the password that you have inadvertently“assigned” to them. Give the user agood password, and give that user a different password from everyother user whose password you have reset.
After you have changed your password, trylogging into your account with the new password to make sure thatyou’ve entered the new password properly. Ideally,you should do this without logging out, so you will have somerecourse if you did not change your password properly. This isespecially crucial if you are logged in as rootand you have just changed the root password!
Password: ChangeMe
At one major university we know about, it was commonplace forstudents to change their passwords and then be unable to log intotheir accounts. Most often this happened when students tried to putcontrol characters into their passwords.[34]Other times, students mistyped the password and were unable to retypeit again later. More than a few got so carried away making up a fancypassword that they couldn’t remember their passwordslater.
Well, once a Unix password is entered, there is no way to decrypt itand recover it. The only recourse is to have someone change thepassword to another known value. Thus, the students would bring apicture ID to the computing center office, where a staff member wouldchange the password to ChangeMe and instruct themto immediately go down the hall to a terminal room to do exactlythat.
Late one semester shortly after the Internet worm incident (whichoccurred in November of 1988), one of the staff decided to tryrunning a password cracker (see Chapter 19) to seehow many student account passwords were weak. Much to the surprise ofthe staff member, dozens of the student accounts had a password ofChangeMe. Furthermore, at least one of the otherstaff members also had that as a password! The policy soon changed toone in which forgetful students were forced to enter a new passwordon the spot.
Some versions of thepasswd command support a special-f flag. If this flag is provided when thesuperuser changes a person’s password, that user isforced to change his or her password the very next time he logs intothe system. It’s a good option for systemadministrators to remember.
One way to try out your new password is to use the su command.Normally, the su command is used to switch toanother account. But as the command requires that you type thepassword of the account to which you are switching, you caneffectively use the su command to test thepassword of your own account.
% /bin/su nosmispassword: mypassword%(Of course, instead of typing nosmis andmypassword , use your own account name andpassword.)
If you’re using amachine that is on a network, you can use thetelnet, rlogin, orssh programs to loop back through the network tolog in a second time by typing:
% ssh -l dawn localhostdawn@loaclhost's password: w3kfsc!Last login: Sun Feb 3 11:48:45 on ttyb%You can replace localhost in the above examplewith the name of your computer. This method is also useful whentesting a change in the root password, as thesu command does not prompt for a password whenrun by root.
If you try one of the earlier methods and discover that your passwordis not what you thought it was, you have a definite problem. Tochange the password to something you do know, you will need thecurrent password. However, you don’t know thatpassword! You will need the help of the system administrator to fixthe situation. (That’s why youshouldn’t log out—if the time is 2:00 a.m. onSaturday, you might not be able to reach the administrator untilMonday morning, and you might want to get some work done beforethen.)
The superuser (userroot) can’t decode the passwordof any user. However, the system administrator can help you when youdon’t know what you’ve set yourpassword to by using the superuser account to set your password tosomething known.
Warning
Ifyou get email from your system manager advising you that there aresystem problems and that you should immediately change your passwordto tunafish (or some other value),disregard the message and report it to your systemmanagement. These kinds of email messages are frequentlysent by computer criminals to novice users. The hope is that thenovice user will comply with the request and change his password tothe one that is suggested—often with devastating results.
If you are running as thesuperuser (or the networkadministrator, in the case of NIS+), you can set the password of anyuser, including yourself, without supplying the old password. You dothis by supplying the username to thepasswd command when you invoke it:
# passwd cindyNew password: NewR-pasRetype new password: NewR-pas#[31] Even if youaren’t Sabrina, saying that you are Sabrinaidentifies you as Sabrina. Of course, if you are not Sabrina, yourvoice will probably not authenticate you asSabrina, provided that the person you are speaking with knows whatSabrina actually sounds like.
[32] Well-chosenpasswords are still quite effective for most standalone systems withhardwired terminals, and when used in cryptographic protocols withmechanisms to prevent replay attacks.
[33] And if you are the systemadministrator, you’ll have to log in as thesuperuser to change your password. If you’veforgotten the superuser password, you may need to take drasticmeasures to recover.
[34] The control characters ^@, ^C, ^G, ^H, ^J, ^M, ^Q, ^S, and ^[ should not be put in passwords, because they can be interpreted by the system. If your users will log in using xdm, users should avoid all control characters, as xdm often filters them out. You should also beware of control characters that may interact with your terminal programs, terminal concentrator monitors, and other intermediate systems you may use; for instance, the ~ character is often used as an escape character in ssh and rsh sessions. Finally, you may wish to avoid the # and @ characters, as some Unix systems still interpret these characters with their ancient use as erase and kill characters.
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
Start your free trial
