Subject: Re: passwd encryption algorithm change possible?
To: David Woyciesjes <>
From: Andrew Brown <>
List: tech-net
Date: 01/23/2001 13:17:54
>	Actually, I may be wrong. I recall now that I heard about it in a
>book on Linux... not NetBSD per se. Whether or not it's in NetBSD, I'm not
>sure now...
>	Anyway, what it does basically is take the password out of the
>normal password file, and stick it in a shadow file, which IIRC is
>accessible only by root ( or SU, I suupose). Keep in mind, I'm not positive
>on the details ( don't have the book here with me)

shadowed passwords are an option on linux, but have always been in

the master.passwd file contains an "encrypted"[1] copy of a user's
password and is readable only by root.  the getpw*() routines in libc
don't look at the master.passwd file (or the /etc/passwd file, which
is just there for people to read), but in the databases /etc/pwd.db
and /etc/spwd.db (which is also readable only by root).  the
"encrypted" password is only copied into the spwd.db file.

[1] it's not actually encrypted, per se, so if you want to be pedantic
about it, what it actually does is pretend the user's password is a 56
des key and uses it to encrypt 64 bits of zeroes, but with 25 rounds
instead of 16, and with a salt to further "obscure" the output
(thereby making a dictionary attack more difficult).

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."