Password Shadowing

[Maggie Q.]

Password shadowing is a security system where the encrypted password field of /etc/passwd is replaced with a special token and the encrypted password is stored in a separate file (or files) which are not readable by normal system users.
In older UNIX systems, passwords shadowing was often defeated. It was done by using a program that made successive calls to getpwent() to obtain the entire password file. Modern UNIX systems are not susceptible to this attack.


Example:
#include <pwd.h>
main()

{ struct passwd *p;

while(p=getpwent())

printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos,
p->pw_dir, p->pw_shell); }