How to make user passwords shown as a clear text in Linux?

  • We know that users' passwords are saved in /etc/passwd, but in an encrypted way, so even the root can't see them:

    jane:x:501:501::/home/jane:/bin/bash
    fred:x:502:502::/home/fred:/bin/bash
    

    As shown above, :x: represents the password.

    Is there a way (possible configuration) to save the password in the /etc/passwd in clear text and such that the root can see them?

    No. And that's a feature. There's also no real reason for it since the root account does not need a user's password to access their files. Under what circumstance would you want this?

    I'm just curious about this, why can't the admin (the root) of the system see the passwords of other users?

    @user78050 because the root user has no reason to know the passwords of other users, and it would be a major security risk to allow them to do so.

    Because it violates the simplest security principle in the business: "never store passwords in plain-text." When security is done well, _only_ the user should know their password, no one else. Plus, there is absolutely no reason to do this. I cannot think of a single administrative situation where it would help a root user to know another user's password.

    David and HalosGhosy, I'm not working on a real system, so the security is not a problem,as I have said before I'm just curious is linux allow us to do this?

    Use the MD5 "encryption method" then crack the passwords using rainbow tables.

    it is not true that passwords are stored in `/etc/passwd`. At least not in the past ~20 years, since `/etc/shadow` was invented. The 'x' you see there is _not_ the encrypted password. It is a literal 'x' which can not possibly match any MD5 or SHA1 etc sig.

    @CristianCiupitu That's not possible: Linux doesn't support MD5 as the password hash. The password hash called MD5 is in fact a slow, salted hash which uses MD5 in its inner workings, and which is vulnerable neither to the known attacks on MD5 nor to rainbow tables.

    @Gilles, you're right, the MD5 scheme is indeed salted which would make it harder to crack.

  • derobert

    derobert Correct answer

    6 years ago

    The other two answers have told you—correctly!—that this is a Bad Idea™. But they've also told you its hard to do, requiring changing a bunch of programs.

    That's not true. It's very easy. You only need to change one or two configuration files. I feel its important to point this out, because you should be aware of it when logging into systems you don't control. These won't actually put a plain-text password in /etc/passwd or /etc/shadow, it'll go into a different file. Note I haven't tested these, as I'd rather not have my password in plain text.

    1. Edit /etc/pam.d/common-password (to catch on password changed) or /etc/pam.d/common-auth (to catch on login) and add in … pam_exec expose_authtok log=/root/passwords /bin/cat

    2. Edit both of those, and switch from pam_unix to pam_userdb with crypt=none. Alternatively, you could put it only in common-password (leaving pam_unix as well) to just record passwords when they're changed.

    3. You could remove the shadow (as well as any strong hash options) option from pam_unix to disable the shadow file, and go back to traditional crypt passwords. Not plain text, but John the Ripper will fix that for you.

    For further details, check the PAM System Admin Guide.

    You could also edit the source code of PAM, or write your own module. You'd only need to compile PAM (or your module), nothing else.

    I suppose the plain text passwords are written to `/root/passwords`.

    Btw. very good to know how easy it is and where I have to look at if being afraid of a compromised system.

    @erik It's the asker's prerogative to pick whichever answer he/she finds most helpful as the accepted answer. It's probably a good thing that OP found "don't do that!" the most helpful… Also, to be clear, this isn't the only way to steal passwords on a compromised or maliciously administered system. So you can't just look at the PAM config to determine you're safe.

    This is rather assuming the distro is using PAM, by no means all of them do.

    It is my sense that if one has to ask "Is there a way … to save the password in the /etc/passwd in clear text and such that the root can see them?", then they lack the relevant understanding as to why they oughtn't. Of course, the OP could always implement the holes you enumerate, but it seems unwise to aid someone in bad practice (even if he could find the information elsewhere). The OP will likely never be _your_ sysadmin, and I'm sure you use unique strong passwords religiously, but many people are not so enlightened; I'm sure there are others who are not so rigorous.

    It may sound like I'm making an argument for security through obscurity. I was trying to argue that it is unwise to give teenage boys whiskey and car-keys with instruction in neither. But I may well have failed in that attempt.

    @msw I answered because its apparently a common belief that running a Linux box with clear-text passwords is hard (Bobby, to his credit, fixed his answer; Anthon's still makes it sound hard). That's a dangerous belief, as it encourages password re-use. If I'd just posted an answer "actually, its easy, you edit a file or two, but I won't tell you" then no one would have believed that. Why listen to me over the (at the time) much higher voted, more thorough answers? Making the point requires saying how to do it. (Though, they're not copy & paste examples. Thought's still required to use.)

    @derobert fair 'nuff; I now see it as you intended and concur. (+1)

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM