User administration and password storage in solaris is done in a pretty secured way. Before going to that topic first some basic idea about user administration is required. A system administrator can use the useradd command to add a new user in the system. This command commonly used in the following fashion :
# useradd -u uid -g gid -G (gid1,gid2) -m -d homedirectory -s loginshell -c comment loginname
Here -m option is used to create the home directory for that user if it's doesn't exist , comment normally contains the user's full name etc.
Otherwise an administrator may choose to edit the /etc/passwd file to add a new user. Then he would be required to add a line to that file like :
loginname:x:UID:GID:comment:homedirectory:loginshell
and create a home directory manually. Anyway then he would be needed to setup a password for the user. 'passwd' command is used to setup a password or change login password.'passwd username' is used to do it.
Now all users of a system has read only permission to the /etc/passwd file. That's why passwords are not stored there, only 'x' was mentioned in place of passwords. Though passwords are stored in encrypted format but decryption software exist which may decrypt those passwords.Passwords are stored in /etc/shadow file which only root user can read.
A user may use the passwd command to change his login password and the root user may use it to change login password of any user. Now when passwd command is used to change passwords , it follows a series of steps. Here's the step by step description :
i) It asks for the old password. There are several reasons behind it , first of all authentication and second, checking if aging is sufficiient.
ii) Then it asks for the new password. After entering one , it checks passwords contraints from /etc/default/passwd. System administrator may change that file according to necessity and required security. If it fullfills all constraints then it asks for the new password again to confirm.
iii) Then it consults the passwd and passwd_compat entry in /etc/nsswitch.conf file to determine where the update will be stored.
We have already discussed about the /etc/passwd and /etc/shadow file. Actually /etc/shadow file creates an entries with informations from /etc/passwd. Check out the man page of pwconv to use the system administrator's command to install and update /etc/shadow with informations from /etc/passwd.
The steps behind passwd command , what we discussed already is bit different for the root user . For a root user there's no constraint for setting or changing a new password , even it won't ask for the older one.
Now to sum it all up , the system files behind the password storage are :
/etc/passwd
/etc/shadow
/etc/opasswd
/etc/oshadow
/etc/default/passwd
Check out 'man passwd' for more detail description.
