241 ■ ■ ■ CHAPTER 37 A Pseudo–shadow File S ome environments do not use a shadow file for maintaining passwords. These envi- ronments keep encrypted passwords in either a local passwd file or one that is handled through NIS. I have seen this mode of operation in several versions of HP-UX and NIS. NIS can support using a shadow file, but not all NIS clients have this capability. The script in this chapter, which is intended to be run daily, creates and maintains a pseudo–shadow file to track the age of user passwords and their change history. The script does not, however, remove the encrypted password from the already-existing passwd file. I intend this contrived shadow-file generator to be run in conjunction with the password- aging script in Chapter 36. The script in that chapter relies on information contained in a shadow file to determine the date of the last password change. The first section of the script sets up several environment variables to be used later. The variables originally were taken from a separate configuration file, but for the sake of sim- plicity I have included them at the beginning of the script. #!/bin/ksh HOME=/usr/local/pass_aging ARCHIVE=$HOME/archive BIN="$HOME/bin" DEBUG=duh shad=/usr/local/pass_aging/bin/shadow_nis pswd=/var/yp/src/passwd PERL=/usr/bin/perl ED=ed.script The only interesting variables being set here are the debug flag and the variables stor- ing the locations of the passwd and shadow files. The DEBUG variable just needs to be set to anything non-null to generate some debugging output while the script is running, so that you can see what it is doing when you are testing. The shad variable holds the location of the shadow file. Since the shadow file is a regular file that the system itself doesn’t actually use, you can call it anything you want. The pswd file definition is the real master passwd file that the machine relies on. This script only ever has read access to that file, so there is no danger in possibly modifying the live file even when testing. If your anxiety level is high, you could copy the original and run the script against the copy. 242 CHAPTER 37 ■ A PSEUDO–SHADOW FILE In the following code we determine the number of days since 1/1/1970, the start of the UNIX epoch. The number in the third field of a shadow-file entry represents the date that the password for that account was last changed, expressed as a number of days since the beginning of the epoch. This value can be determined in a number of ways. Please refer to Chapter 3 for more discussion on this topic. seconds_since_epoch=`$PERL -e 'print time'` seconds_per_day=$((60*60*24)) days_since_epoch=$(($seconds_since_epoch/$seconds_per_day)) If this is the first time the script is run and there is no existing shadow file, the script will create one based on the specified passwd file. Since the age of the password was probably not tracked before the first time this script is run, the script assumes that today is the day the password was last changed, and enters that value in the new shadow file. This gives users the benefit of the doubt. if [ ! -f $shad ] then test "$DEBUG" != "" && echo DEBUG: $shad does not exist, creating cat $pswd | awk -v days=$days_since_epoch -F: \ '{print $1 ":" $2 ":" days ":0:90:7:::"}' > $shad fi Even though this file isn’t used by any system process, we want to back it up to be able to retrace our steps in case something goes wrong. I have used saved files many times to restore account information without having to use a system backup. We also want to be able to remove the older files in the backup directory. backdate=`date +%m%d%y%H%M` test "$DEBUG" != "" && echo DEBUG: Backing up $shad to $ARCHIVE/nis_shadow.$backdate cp -p $shad $ARCHIVE/nis_shadow.$backdate find $ARCHIVE -mtime +7 -exec rm {} \; Like the script in Chapter 36, this script will construct and run an ed script, which allows us to edit the shadow file in place when changes need to be made. This is discussed in more detail in Chapter 25. First we have to remove any previously created ed script files that may be lying around. if [ -f $HOME/bin/$ED ] then test "$DEBUG" != "" && echo DEBUG: Cleaning up old ed.script rm $HOME/bin/$ED fi Now we’re in the core of the program. The loop iterates through the current passwd file and updates the corresponding entries in the new shadow file. for user in `cut -d: -f1 $pswd` do CHAPTER 37 ■ A PSEUDO–SHADOW FILE 243 First you have to determine whether the user’s name appears in the shadow file. If he has a new account, he may not have been entered into it yet. If this is so, you have to create an entry in the shadow file. user_exist=`grep "^${user}:" $shad | cut -d: -f1` if [ "$user_exist" = "" ] then echo "$user:$cur_pass_word:$days_since_epoch:0:90:7:::" >> $shad test "$DEBUG" != "" && echo DEBUG: Missing $user, adding to $shad fi Now the script gathers the user’s encrypted password from the passwd file and its age from the shadow file. cur_pass_word=`grep "^${user}:" $pswd | cut -d: -f2` old_pass_word=`grep "^${user}:" $shad | cut -d: -f2` pass_days=`grep "^${user}:" $shad | cut -d: -f3` test "$DEBUG" != "" && echo DEBUG: \ $user, $cur_pass_word, $old_pass_word, $pass_days The shadow file is updated only when this script is run. If the password saved in the shadow file isn’t the same as the current one in the passwd file, some updates need to be made to the shadow file. if [ "$old_pass_word" != "$cur_pass_word" ] then test "$DEBUG" != "" && echo DEBUG: $user password has changed,\ updating $shad Now we have to make sure the encrypted passwords are handled correctly. These pass- words contain special characters (., /, *, and $) that need to be escaped with a preceding backslash where they appear in the ed script. This operation will ensure that the correct password string is entered in the shadow file. old_pass_word=`echo $old_pass_word | sed -e s/\\\./\\\\\\\\./g` old_pass_word=`echo $old_pass_word | sed -e s/\\\*/\\\\\\\\*/g` old_pass_word=`echo $old_pass_word | sed -e s/\\\$/\\\\\\\\$/g` old_pass_word=`echo $old_pass_word | sed -e s/\\\\\//\\\\\\\\\\\//g` cur_pass_word=`echo $cur_pass_word | sed -e s/\\\./\\\\\\\\./g` cur_pass_word=`echo $cur_pass_word | sed -e s/\\\*/\\\\\\\\*/g` cur_pass_word=`echo $cur_pass_word | sed -e s/\\\$/\\\\\\\\$/g` cur_pass_word=`echo $cur_pass_word | sed -e s/\\\\\//\\\\\\\\\\\//g` These sed commands look pretty ugly, but that’s because a lot of escape slashes have to be evaluated and in turn the following escape slash needs to be escaped itself. For more coverage of sed commands for updating encrypted password strings, refer to Chapter 36. With all the characters being replaced, there is one character that gets escaped but should not be part of the final password string. The special $ character is the “end of line” 244 CHAPTER 37 ■ A PSEUDO–SHADOW FILE character for all strings on UNIX and Linux systems, and normally is not visible. When all the special characters were escaped in the previous sed commands, this trailing \$ became visible at the end of the string. It wasn’t part of the original encrypted password, so the last two characters (\$) need to be removed from the string. This use of sed is dis- cussed in more detail in Chapter 24. old_pass_word=`echo $old_pass_word | sed 's/\(.*\)\(.\)\(.\)$/\1/'` cur_pass_word=`echo $cur_pass_word | sed 's/\(.*\)\(.\)\(.\)$/\1/'` Now we create an instruction in the ed script that will replace the old encrypted password and its days since last change value with the new encrypted password and the current days since epoch value. We do this by taking the new values from the current passwd file. One such instruction is appended to the ed script using double greater-than signs (>>) for each user account, and then all shadow-entry updates are made at once by running the ed script. test "$DEBUG" != "" && echo DEBUG: Creating ed file to change\ $old_pass_word:$pass_days to $cur_pass_word:$days_since_epoch echo "g/$user:$old_pass_word/s/$old_pass_word:\ $pass_days/$cur_pass_word:$days_since_epoch/g" \ >> $HOME/bin/$ED else test "$DEBUG" != "" && echo DEBUG: No changes for $user continue fi done Now that the loop is complete for all the users, you should add the final two lines to the ed script and process the shadow file with all its changes. # Complete and process the file with the ed.script echo "w" >> $HOME/bin/$ED echo "q" >> $HOME/bin/$ED test "$DEBUG" != "" && echo DEBUG: Running ed.script for $user on $shad ed -s $shad < $HOME/bin/$ED > /dev/null You might want to make one refinement: once the modifications are complete, you could check the line counts of the passwd and shadow files to see whether they match. If they don’t match, it is possible that an account has been removed and the account is not present in the passwd file; the entry is still visible in the shadow file, though. The script should then remove the old usernames from the shadow file to keep both files synchronized. . using a shadow file, but not all NIS clients have this capability. The script in this chapter, which is intended to be run daily, creates and maintains a pseudo–shadow. that you can see what it is doing when you are testing. The shad variable holds the location of the shadow file. Since the shadow file is a regular file