As we move forward in this series looking at the LPIC-3 Linux Certification for Linux Security we now look at the question : why do we need the pwunconv command. In Linux the user account database for local users is the /etc/passwd file. As the name suggests, this was originally used to store the user name and password. This file needs to be world readable, so even though the password is encrypted, it does not make sense to store the password here. For this reason, passwords are now stored in the /etc/shadow file. This file is normally accessible only to root. As well as storing the password, it is this file, that stores the so called shadow data. The password aging information that we set with the command chage.
For new accounts that have their shadow data created for the first time with their initial passord they can collect the shadow data from the the file /etc/login.defs.
The setting that can apply to new shadow entries include:
PASS_MAX_DAYS How often the password must be changed, default 99999
PASS_MIN_DAYS The minimum days between passwords changes, this defaults to 1. It is used to stop users from cycling through their passwords quickly to overcome password history settings and allow them to keep the favoured password.
PASS_WARN_AGE This defaults to 7 and specifies how many days before the password expires will the user be notified to change their password.
For more details on these settings and what can be set in the file review the man page:
$ man 5 login.defs
If we have already created accounts that have showdow data then they will not be affected by changes made to login.defs. If you need to change all accounts to collect the new settings then rather than manage each accoount individually with chage we can use a rather bizarre mechanism.
Why do we need pwunconv
We have 2 commands in Linux that allow us to transfer data to and from the /etc/shadow file:
pwconv This command is easily understood from where you had a legacy passwd file that contained all user data and passwords that needs to migrate to a more secure shadow file. It would be rare to come across many systems that don’t use a shadow file by default now, however, the need for this command can be understood.
pwunconv The use for this command is not so obvious an it is used to migrate user passwords from the shadow file back to the passwd file. The password is retained but all the shadow data is lost. So no password aging is available. Storing passwords in the passwd file is very old school and is really not recommended. So why on earth do we have this command ????
Well, we can can run this command to migrate all users back to the passwd file and thus removing all their shadow data. With the login.defs file edited to the values you want we can migrate the user passwords back. As these all become new shadow entries they will use login.defs to define their new default values. This is really useful where defaults where overlooked in the early life of a server and we need to apply new defaults to all accounts.
The process would be:
$ sudo vim /etc/login.defs ..set correct values $ sudo pwunconv $ sudo pwconv
This would only be unsuitable where we had many accounts that need their own special shadow data. Changing a few accounts after to their unique settings is not an issue but for many accounts we wold lose all advantages to this process.