SUMMARY: Modifying /etc/shadow Directly

From: Larry Anta (lanta@acs.ryerson.ca)
Date: Mon Jan 24 2000 - 16:33:03 CST


The following people were kind enough to reply to my query. Thanks to
you all:

Parkhaev Vladimir
Mark
Bruce Bowler
Robert G. Ferrell
James Mularadelis
Gary Jenson
Seth Rothenberg
Rob Bannocks
Charles Seeger
David Evans
Marc L. Summers
Doug Krause
Michael Pins
David Ledger

        My original query
        =================

No obvious answers in Sun documentation or this list's archives/faq...

In (Sparc) Solaris 2.6/7, I have an encrypted pw that I want to stuff into
/etc/shadow. Direct editing is messy and, I suspect, dangerous.

I want a C programming interface.

man putspent() (3C) and its family is all I've found that comes close but it
has ominous warnings like, "This routine is for internal use only,
compatibility is not guaranteed," and, "The use of this function is
discouraged." Are there safe and perhaps even supported ways to do this?

Some background, if you're interested: we let our students "activate" their
accounts on a completely different machine. During that dialogue with them,
they select a password. We crypt() the password on the spot and throw away
the cleartext. When the account activation request gets to my machine, I only
have the encrypted pw, not the cleartext.

        The answers I received (in no particular order)
        ===============================================

Quite a varied set of responses!...

Answer 1
========

I do 'vi /etc/shadow' all the time. Nothing dangerous there. echo
'name:HASHWWWuDlJRLg:10613::::::' >>/etc/shadow. No big deal.

Answer 2
========

one way you can do this is create a /etc/passwd line complete with the
encrypted string like in the old days, and run pwconv. it will take the
passwd field and put it in a shadow entry line and remove it from the
/etc/passwd. that way is probably the safest way to make a new entry in
/etc/shadow.

Answer 3
========

Can you change the stuff on the "student end" to not do crypt but some
reversible encryption (pgp?) so you can get the cleartext at your end?

Answer 4
========

[...deleted...]

Note that any implementation will need to cooperate in locking. See
lckpwdf(3C)/ulckpwdf(3C). A shell script should be able to work with the
lock file, /etc/.pwd.lock. It would be nice to have OS source code to verify
how this stuff actually operates, though.

[...deleted...]

Note that /usr/ucb/vipw appears not to have been updated to work with the
/etc/.pwd.lock file nor, for that matter, with /etc/shadow.

Answer 5
========

I do direct editing of the shadow and passwd files all of the time, and have
no problems with it at all. I also have a C program that I wrote that up
dates the root passwords on a regular basis. Unless you are under NIS+ then
there should be no problem.

Answer 6
========

Just be careful and use vipw.

Answer 7
========

Run /usr/ucb/vipw, when it gives you /etc/passwd do a ":wq", then hit "e" to
edit the shadow file. Add encrypted password to the shadow file.

vipw sets the appropriate locks, and does sanity checking on the entries. Why
it never made it into they SysV world remains a mystery.

Conclusion
==========
I decided to go with vipw (answer 7 et al), despite proviso about it in
answer 4.

Again, many thanks to all who responded. Cheers!

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@ Larry Anta, Ryerson Polytechnic U., Toronto, Canada @@@
@@@ lanta@acs.ryerson.ca www.ryerson.ca/~lanta @@@
@@@ #include <std/disclaimer.h> @@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:02 CDT