|
==User and administrative techniques==
Unix has many tools that can improve security if used properly by users and administrators.
===Passwords===
Selecting a strong [[passwordPassword|passwords]] and guarding itthem properly are probably the most important thingsfor aUnix usersecurity. can{{Citation doneeded|date=April to improve Unix security.2024}}
In Unix systems, the essential information about users is stored under the file <code>[[Passwd (file)|/etc/passwd]]</code>This file keeps track of the users registered in the system and their main definitions. Passwords, or more correctly, the hash of the password, can also be stored in the same place. The entries in <code>/etc/passwd</code> occupy exactly one line each, and have the following form:
On many UNIX systems, user and password information, if stored locally, can be found in the [[<code>/etc/passwd</code>]] and <code>/etc/shadow</code> file pair.
nickname:password_hash:UserID:GroupID:Complete_Name:home_dir:shell_bin
An example would be:
{{sxhl|2=unixconfig|xfze:$$1zuW2nX3sslp3qJm9MYDdglEApAc36r/:1000:100:Daniel Ernesto Ortiz Costa:/home/xfze:/bin/bash}}
Since all users must have read access to the <code>/etc/passwd</code> file to do many common tasks (<code>ls -l /home</code> will use <code>/etc/passwd</code> to map UIDs to login names for example), anyone could also read the password hashes of other users. To solve this problem, the file <code>[[password shadowing|/etc/shadow]]</code> was created to store the password hashes, with only [[root]] having read access. Under password shadowing, the 2nd field ([[key derivation function|password hash]]) is replaced by an 'x' which tells the system to retrieve the corresponding user's password via the <code>/etc/shadow</code> file.
The <code>/etc/shadow</code> file often only contains values for the first two fields:
{{sxhl|2=unixconfig|xfze:$$1zuW2nX3sslp3qJm9MYDdglEApAc36r/:::::}}
The remaining fields in the <code>/etc/shadow</code> file include:
#The minimum number of days between password changes
#The maximum number of days until the password must be changed
#The number of days of warning given before the password must be changed
#The number of days after the password must be changed when the account becomes unusable
#The date (expressed as the number of days since [[Unix epoch|January 1st, 1970]]) when the account is expired
These fields may be used to improve Unix security by enforcing a password security policy.
===Users and accounts===
Administrators should delete old accounts promptly.
*[[su (Unix)|su]], [[sudo]], [[Secure Shell|ssh]] only, no remote root logins
==Software maintenance==
| 