The shadow file linux
In the "Python stunt" This book is the first small program first demonstrated the capacity for violence and unix file system shadow password crack, because before just stay in the shadow file to save user passwords stage, but did not detail research, so a good weekend days specially to take the time to study a bit.
1.passwd file and shadow file
earlier is not unix / etc / shadow of this document. All the information a user are only stored in / etc / passwd file, the user encrypted passwords in the passwd file of the second field. So why produce shadow file it?
First, we look at the detailed permission by ls passwd file: -rw-r--r-- 1 root root 1505 Mar 6 22:34 /etc/passwd
we can see each user is readable, then it does not put the user passwords exposed to anyone yet? Although the increase is too close, but that there are also security issues.
Now file permissions like this :( Note / usr / bin / passwd In addition there is a SetUID rwx permission of s flag) -rwsr-xr-x. 1 root root 30768 Feb 22 2012 /usr/bin/passwd ---------- 1 root root 964 Mar 6 22:34 /etc/shadow
first by removing all rights to the shadow file, ensure that only root can read and write files on the shadow ( root is god, no description of any special documents are under the jurisdiction of the root). So the average user will certainly have to make changes ah right shadow password file is modified? By / usr / bin / passwd s-bit implementation.
Ordinary users to change the password process is this:
the Test user invokes the / usr / bin / passwd command to change your password, because for any user passwd executable, and s-bit executable require all users to execute this command transformed into a root, so in this case test users to read and write shadow file took root privileges, when the end of the transfiguration command is completed, test becomes lost root privileges. It can be seen through the separation of the shadow file, both to ensure the ordinary user to modify their own passwords, but also to ensure that the average user can not see the encrypted password string to enhance security.
2.shadow file consisting of root:$1$abcdefg$Qp6zr7K0tHxV79N9cCLSc1:16866:0:99999:7:::
the account name: root
password encrypted: $1$abcdefg$Qp6zr7K0tHxV79N9cCLSc1
Last modified password: 16866
password can not be changed for several days: 0
99999 (99999 indicates that no change): the number of days a password needs to be changed again
before the password changes a few days earlier warning: 7
account expiration date: no
account cancellation date: no
entries remain, at present useless
part 3.shadow file password
password part of the shadow file consists of three parts, by the '$'division.
In the above rootthe user's password, for example, according to '$'the encryption method are divided (1), salt value ( abcdefg), the encrypted password string is ( Qp6zr7K0tHxV79N9cCLSc1).
First, look at the first encryption method, there are six kinds of encryption, only three of the most common:
. 1: the MD5 encryption, ciphertext 22 is
. 5: the SHA-256 encryption, ciphertext 43 is
. 6: the SHA-512 encryption, secret length of the text 86
4. manually generated password string (tested on centos6.5)
method a: dovecot package provided dovecotadm command.
For example: doveadm pw -s SHA512-CRYPTwherein s are optional multiple encryption modes, such as SHA512-CRYPT, SHA256-CRYPT, MD5-CRYPT.
Method two: openssl package provided passwd subcommands.
such asopenssl passwd -1, But I found only supports md5.
Method three: the default python comes crypt library.
__import__("crypt").crypt("password","$1$abcdefg$") - 1
If you do not want to set up their own specified salt value, you can use mksalt crypt library function to automatically generate and provide md5, sha256, sha512-round support.
Transfer: https://www.cnblogs.com/beautiful-code/p/9444201.html
