Recently, I am troubleshooting a problem about user login, and I need to understand the principles behind the startup of the development board and remote login for username and password verification. After querying and learning, a brief summary is as follows
Article directory
foreword
在我们使用Linux设备时,开机启动后总会遇到一个用户登录界面,类似于QQ号登录一样,但是Linux输入密码是不显示输入的字符的,这个和Windows不一样,有的设备并未有这个过程,对于其背后的机制,大家是否清楚呢?
1. Linux development board login mechanism
I have already talked about this content in my previous article. If you need to know, please read " Easy root file system construction experiment and detailed explanation of the process "
二、getty、login、passwd
The getty program will display a text login interface, which is the login interface we often see. In this login interface, the user will be prompted to enter a user name, and the user name entered by the user will be passed as a parameter to the login program to verify the user's identity.
In the embedded Linux development board, these two programs come from busybox.
1、getty
As a program executed by the system startup, it has the following functions
(1)打开tty行并设置其模式
(2)打印登录提示并获取用户名
(2)开始用户的登录过程
注意:网络登录的处理方式与控制台登录不同,因为为每个潜在的网络登录提供getty是不
切实际的。网络登录是通过互联网超级守护进程处理的,inetd使用telnet或rlogin通信
协议。
The Getty program can also be used as a linux command, but not all Linux systems support the following functions:
Linux getty命令用于设置终端机模式,连线速率和管制线路。
getty指令是UNIX之类操作系统启动时所必须的3个步骤之一。
getty [-h][-d<组态配置文件>][-r<延迟秒数>][-t<超时秒数>][-w<等待字符串>][终端机编号][连线速率<终端机类型><管制线路>] 或 getty [-c<定义配置文件>]
参数:
-c<定义配置文件> 指定定义配置文件,预设为/etc/gettydefs。
-d<组态配置文件> 指定组态配置文件,预设为/etc/conf.getty。
-h 当传输速率为0时就强制断线。
-r<延迟秒数> 设置延迟时间。
-t<超时秒数> 设置等待登入的时间。
-w<等待字符串> 设置等待回应的字符串。
实例开启终端:
# getty tty7
2、login
The Linux account verification program is login, and login will receive the user name from getty as the user name parameter. Then login will analyze the user name: if the user name is not root and the /etc/nologin file exists, login will output the contents of the nologin file and then exit. This is usually used to prevent non-root users from logging in during system maintenance. Only the terminals registered in /etc/securetty allow the root user to log in. If this file does not exist, root can log in on any terminal. The /etc/usertty file is used to make additional access restrictions on users. If this file does not exist, there are no other restrictions.
After analyzing the user name, login will search /etc/passwd and /etc/shadow to verify the password and set other information of the account, such as: what is the home directory and what shell is used. If no home directory is specified, it will default to the root directory; if no shell is specified, it will default to /bin/bash.
After the login program succeeds, it will output the latest login information (recorded in /var/log/lastlog) to the corresponding terminal, and check whether the user has new mail (the corresponding user name in /usr/spool/mail/ Under contents). Then start setting various environment variables: For bash, the system first looks for the /etc/profile script file and executes it; then if there is a . After all configuration files are executed and various environment variables are set, the familiar command line prompt will appear, and the entire startup process is over.
如果命令行上没有给出参数,登录程序将提示输入用户名。如果文件“/etc/nologin”
存在且用户不是root用户,则“/etc/nolog”文件的内容将打印到屏幕上,并终止登录。如
果为登录文件“etc/usertty”的用户指定了特殊的访问限制,则必须满足这些限制,否则登
录将被拒绝,程序syslog将记录该尝试。如果用户是root用户,则登录必须在文件“etc/
securety”中列出的终端上。
如果满足上述条件,将请求用户密码,然后将进行检查(如果此用户名需要密码)。
三次尝试登录失败后,响应变得非常缓慢,10次尝试后,登录失败。与往常一样,syslog
工具将报告所有登录失败。如果文件“.hushlogin”存在于用户的主目录中,则执行“安静”
登录,这将禁用邮件检查和打印上次登录时间以及当天的消息。否则,如果文件“var/log/
lastlog”存在,则打印上次登录时间,然后将当前登录记录在此文件中。如果当前登录名
不存在或文件“.hushlogin”存在,则记录在此文件中。
此时,登录程序将执行标准管理任务。其中包括:
(1)设置tty的UID和GID
(2)保留终端环境变量(如果存在)。
(3)如果使用–p选项,则保留其他环境变量
(4)设置HOME、PATH、SHELL、TERM、MAIL和LOGNAME环境变量。
(5)对于普通用户,默认路径设置为“/usr/local/bin:/bin:/usr/bin:.”,对于root用户,
默认设置为“/sbin:/bin://usr/sbin”。
(6)如果这不是“quiet”登录,将打印当天的消息,并检查用户名为“/usr/spool/mail”的文
件,如果该文件的长度为非零,将打印消息。
(7)用户shell启动。shell在文件“/etc/passwd”中指定。如果未指定,登录将使用“/bin/
sh”作为默认shell。
(8)如果在“/etc/passwd”中没有为用户指定目录,则默认情况下登录将使用“/”作为用户的
主目录。
该程序在运行过程中会使用以下文件:
/etc/nologin
/etc/usertty
/etc/seruretty
.hushlogin
/var/log/lastlog
/etc/passwd
可参考阅读:https://blog.csdn.net/m_de_g/article/details/126444846
login is similar to getty, and can also be used as a Linux command:
Linux login命令用于登入系统。
login指令让用户登入系统,您亦可通过它的功能随时更换登入身份。在Slackware发行版中
,您可在指令后面附加欲登入的用户名称,它会直接询问密码,等待用户输入。当/etc目录
里含名称为nologin的文件时,系统只root帐号登入系统,其他用户一律不准登入。
3. Linux encryption algorithm and passwd command
1. Understanding of linux encryption algorithm
The password stored in linux must be an encrypted password, and linux generates encrypted password data through an encryption algorithm.
There are currently two main encryption algorithms in Linux;
DES:这是传统的unix使用的加密算法,只支持八个字符内的密码数据,如果密码长度
超过八个字符,则会只匹配前八个字符,后面的字符可以忽略,该算法相对安全性较差。
MD5:常见的linux中一般都使用该算法,支持255个字符的的密码数据。相对来说安全
性较高。
DES和MD5都是单向式哈希算法,哈希算法是具有下面所有条件的数学算法:
(1)输入长度可以不确定.但是输出长度一定是固定的;
(2)输入不变,输出不变:输入改变,输出改变;
(3)无法由输出推算出输入的值。
现在的MD5算法中还有一种是产生一种固定长度的随机数,把随机数连同原始密码一同
交给单向哈希算法,计算出密码与随机数的哈希值
By default, when using the passwd tool generated by busybox to set user passwords, the DES encryption algorithm is used, which has security holes, but the -a option in the passwd command can solve this problem, and this option will use a new encryption algorithm .
2. The passwd tool generated by the busybox tool
passwd, a computer command, the name of a file. The passwd command is used to change the user's password. The passwd file is usually in the Linux system, and the user's key information is stored in the /etc/passwd file of the system.
Usage: passwd [OPTIONS] [USER]
Change USER's password (default: current user)
-a ALG Encryption method
-d Set password to ''
-l Lock (disable) account
-u Unlock (enable) account
passwd root -d 无论后面任何参数都是去掉用户的密码,完全删除掉密码,这样会导致
远程无法访问
According to my guess based on the problems in the actual development process, the passwd program and the login program have a certain degree of tacit understanding. After passwd changes the encryption method, login will also make corresponding changes to identify the new encryption method. Or it may be that the internal encryption and decryption mechanisms of the two are the same, after all, both come from busybox. Another possibility is that the login uses the encryption and decryption function of passwd.
Note: This article refers to other people's technical blogs, experience cases, and Baidu Encyclopedia on the Internet, combined with my own actual development experience. If there is any infringement, please contact and delete it! Welcome to exchange and learn in the comment area.