After 10 years of development the shadow password management mechanism has been released tcb 1.2 , which acts as an alternative to the traditional Linux / etc / shadow scheme. For distributions, tcb is used to store the password database in Openwall GNU / * / Linux , ALT Linux and Mageia. Project code is distributed under BSD license.
The key difference between tcb and / etc / shadow is the move away from using a common file with all password hashes in favor of spreading password hashes across separate directories and files. With such a storage organization, operations with passwords can be performed without elevation of rights, and the process that processes credentials is limited to an individual user account. The / etc / shadow handler always gets access to all password hashes at once, i.e. a vulnerability in the passwd utility will allow changing any password. In tcb, each file includes only a hash of one user and is placed in a directory owned by that user, thus avoiding privilege escalation when running the passwd utility.
The package includes the pam_tcb PAM module, the libnss_tcb NSS module, and the libtcb library common for these modules. Replacing the PAM and NSS modules is enough to work with the tcb scheme of standard utilities, such as passwd. Tcb’s crypt_blowfish password hashing mechanism is supported in the libxcrypt library, which is shipped by default in Fedora Linux instead of libcrypt, so it can be used with tcb standard system library Glibc without additional patches.
Improvements in the tcb 1.2 release include support for libxcrypt and newer versions of Glibc, internationalization support in pam_tcb (i18n), and discontinuation of support for the legacy NIS / NIS + mechanism. Most of the changes were prepared by Dmitry Levin from the ALT Linux team.