[20160420]shadow檔案格式密碼加密.txt

[20160420]shadow檔案格式密碼加密.txt

$ man 5 shadow

SHADOW(5)                File Formats and Conversions                SHADOW(5)

NAME

       shadow - encrypted password file

DESCRIPTION

       shadow contains the encrypted password information for user's accounts and optional the password aging

       information. Included is:

       . login name

       . encrypted password

       . days since Jan 1, 1970 that password was last changed

       . days before password may be changed

       . days after which password must be changed

       . days before password is to expire that user is warned

       . days after password expires that account is disabled

       . days since Jan 1, 1970 that account is disabled

       . a reserved field

# cat /etc/shadow |grep oracle

oracle:$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.:16911:0:99999:7:::

--主要關注加密字段.

$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--以$作為分割,

--第1個字段表示:

$1 = MD5 hashing algorithm.

$2 =Blowfish Algorithm is in use.

$2a=eksblowfish Algorithm

$5 =SHA-256 Algorithm

$6 =SHA-512 Algorithm

--很明顯這裡使用MD5 hashing algorithm.

--第2個字段salt占8位:

ZcwH7AWX

--第3個字段就是密碼的加密串=> password+slat的hash value.

0BlZZRahwsQ4hLIEUTBN5.

--我的測試密碼是123456,測試看看:

$ openssl passwd -1 -salt ZcwH7AWX 123456

--正好對上!!

--實際上在安裝的時候可以選擇密碼的加密算法.

# grep password /etc/pam.d/system-auth

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

# authconfig --test|grep hashing

password hashing algorithm is md5

# authconfig --passalgo=sha512 --update

# grep sha512 /etc/pam.d/system-auth

system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

--已經修改為sha512