linux下的/etc/shadow文件详解
2013-04-24 21:11
465 查看
原址:http://www.cyberciti.biz/faq/understanding-etcshadow-file/
Q. Can you explain /etc/shadow file used under Linux or UNIX?
A. /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated
by a colon (:) symbol. It contains one entry per line for each user listed in
/etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):
(Fig.01: /etc/shadow file fields)
User name : It is your login name
Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
Last password change (last changed): Days since Jan 1, 1970 that password was last changed
Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from
the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based
algorithm was used.
原址:http://en.wikipedia.org/wiki/Passwd
passwd is a tool on most
Unix and Unix-like operating systems used to change a user's
password. The password entered by the user is run through a
key derivation function to create a
hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.
When the user logs on, the password entered by the user during the log on process is run through the same key derivation function and the resulting hashed version is compared with the saved version. If the hashes are identical, the entered password are considered
to be identical, and so the user is authenticated. In theory, it is possible to occur that two different passwords produce the same hash. However,
cryptographic hash functions are designed in such way that finding any password that produces the given hash is very difficult and practically unfeasible, so if the produced hash matches the stored one, the user can be authenticated.
The passwd command may be used to change passwords for local accounts, and on most systems, can also be used to change passwords managed in a distributed authentication mechanism such as
NIS,
Kerberos, or
LDAP.
users that may login to the system or other operating system user identities that own running processes.
In many operating systems this file is just one of many possible back-ends for the more general
passwd name service.
The file's name originates from one of its initial functions as it contained the data used to verify
passwords of user accounts. However, on modern
Unix systems the security-sensitive password information is instead often stored in a different file using
shadow passwords, or other database implementations.
The
file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the
superuser or by using a few special purpose privileged commands.
The
text file with one record per
line, each describing a
user account. Each record consists of seven fields separated by
colons.[1] The ordering of the records within the file is generally unimportant.
An example record may be:
The fields, in order from left to right, are:[2]
The first field is the user name, i.e. the string a user would type in when logging into the operating system: the
logname. Each record in the file must have a unique user name field.
The second field stores information used to validate a user's
password; however in most modern uses this field is usually set to "x" (or some other indicator) with the actual password information being stored in a separate
shadow password file. Setting this field to an asterisk "*" is the typical way to deactivate an account to prevent it being used.
The third field is the
user identifier, the number that the operating system uses for internal purposes. It does not have to be unique.
The fourth field is the
group identifier. This number identifies the primary group of the user; all files that are created by this user may initially be accessible to this group.
The fifth field, called the
Gecos field, is commentary that describes the person or account. Typically, this is a set of comma-separated values including the user's full name and contact details.
The sixth field is the path to the user's
home directory.
The seventh field is the program that is started every time the user logs into the system. For an interactive user, this is usually one of the system's
command line interpreters (shells).
super user.
Systems administrators can reduce the likelihood of brute force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the
file to hold the password hashes separate from the other data in the world-readable
passwd file. For local files, this is usually
Linux and Unix systems, or
BSD systems; each is readable only by root. (Root access to the data is considered acceptable since on systems with the traditional "all-powerful root" security model, the root user would be able to obtain the information in other ways in any case).
Virtually all recent
Unix-like operating systems use shadowed passwords.
The shadow password file does not entirely solve the problem of attacker access to hashed passwords, as some network authentication schemes operate by transmitting the hashed password over the network (sometimes in
cleartext, e.g., Telnet[3]), making it vulnerable to interception. Copies of system data, such as system backups written
to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication
checks at high rates of speed.
On a system without shadowed passwords (typically older Unix systems dating from before 1990 or so), the
passwd file holds the following user information for each user account:
Username
Salt combined with the current hash of the user's password (usually produced from a
cryptographic hash function)
Password expiration information
User ID (UID)
Default group ID (GID)
Full name
Home directory path
Login shell
The passwd file is readable by all users so that
name service switch can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), but only the root user can write to it. This means that an attacker with unprivileged access to the system can obtain the hashed form
of every user's password. Those values can be used to mount a
brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed
login attempts. Users often select passwords vulnerable to such
password cracking techniques.[4]
With a shadowed password scheme in use, the
User login name
salt and hashed password OR a status exception value e.g.:
"$id$salt$hashed", where "$id" is the algorithm used (On GNU/Linux, "
MD5, "
Blowfish, "
SHA-256 and "
SHA-512,
crypt(3) manpage, other Unix may have different values, like
NetBSD).
"NP" or "!" or null - No password, the account has no password.
"LK" or "*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired
Days since
epoch of last password change
Days until change allowed
Days before change required
Days warning for expiration
Days before account inactive
Days since Epoch when account expires
Reserved
The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical
to the order of the corresponding users in the password file.
System V Release 3.2 in 1988 and
BSD4.3 Reno in 1990. But, vendors who had performed ports from earlier UNIX releases did not always include the new password shadowing features in their releases, leaving users of those systems exposed to password file attacks.
System administrators may also arrange for the storage of passwords in distributed databases such as
NIS and
LDAP, rather than in files on each connected system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled
by the security mechanisms of the underlying data repository.
In 1987 the author of the original Shadow Password Suite, Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing the
Xenix operating system, quickly got ported to other platforms. The Shadow Suite was ported to
Linux in 1992 one year after the original announcement of the Linux project, and was included in many early distributions, and continues to be included in many current
Linux distributions.
In the past, it was necessary to have different commands to change passwords in different authentication schemes. For example, the command to change a NIS password was
yppasswd. This required users to be aware of the different methods to change passwords for different systems, and also resulted in wasteful duplication of code in the various programs that performed the same functions with different
back ends. In most implementations, there is now a single passwd command, and the control of where the password is actually changed is handled transparently to the user via
pluggable authentication modules (PAMs). For example, the type of hash used is dictated by the configuration of the
MD5 hash has been used, while current modules are also capable of stronger hashes such as
blowfish,
SHA256 and
SHA512.
原址:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Introduction_To_System_Administration/s3-acctsgrps-shadow.html
6.3.2.2.
Because the
If a copy of
generated by password-cracker, an attacker can use a password cracker in the following manner:
A password-cracker generates potential passwords
Each potential password is then encrypted using the same algorithm as the system
The encrypted potential password is then compared against the encrypted passwords in
The most dangerous aspect of this attack is that it can take place on a system far-removed from your organization. Because of this, the attacker can use the highest-performance hardware available, making it possible to go through massive numbers
of passwords very quickly.
Therefore, the
Username — The name the user types when logging into the system. This allows the
login application to retrieve the user's password (and related information).
Encrypted password — The 13 to 24 character password. The password is encrypted using either the
Date password last changed — The number of days since January 1, 1970 (also called the
epoch) that the password was last changed. This information is used in conjunction with the password aging fields that follow.
Number of days before password can be changed — The minimum number of days that must pass before the password can be changed.
Number of days before a password change is required — The number of days that must pass before the password must be changed.
Number of days warning before password change — The number of days before password expiration during which the user is warned of the impending expiration.
Number of days before the account is disabled — The number of days after a password expires before the account will be disabled.
Date since the account has been disabled — The date (stored as the number of days since the epoch) since the user account has been disabled.
A reserved field — A field that is ignored in Red Hat Enterprise Linux.
Here is an example line from
This line shows the following information for user
The password was last changed February 11, 2005
There is no minimum amount of time required before the password can be changed
The password must be changed every 90 days
The user will get a warning five days before the password must be changed
The account will be disabled 30 days after the password expires if no login attempt is made
The account will expire on November 9,2005
For more information on the
还有一个参考网址:http://linux.die.net/man/5/shadow
Q. Can you explain /etc/shadow file used under Linux or UNIX?
A. /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated
by a colon (:) symbol. It contains one entry per line for each user listed in
/etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):
/etc/shadow file fields
(Fig.01: /etc/shadow file fields)
User name : It is your login name
Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
Last password change (last changed): Days since Jan 1, 1970 that password was last changed
Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
The last 6 fields provides password aging and account lockout features (you need to use chage command to setup password aging). According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from
the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based
algorithm was used.
原址:http://en.wikipedia.org/wiki/Passwd
passwd is a tool on most
Unix and Unix-like operating systems used to change a user's
password. The password entered by the user is run through a
key derivation function to create a
hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons.
When the user logs on, the password entered by the user during the log on process is run through the same key derivation function and the resulting hashed version is compared with the saved version. If the hashes are identical, the entered password are considered
to be identical, and so the user is authenticated. In theory, it is possible to occur that two different passwords produce the same hash. However,
cryptographic hash functions are designed in such way that finding any password that produces the given hash is very difficult and practically unfeasible, so if the produced hash matches the stored one, the user can be authenticated.
The passwd command may be used to change passwords for local accounts, and on most systems, can also be used to change passwords managed in a distributed authentication mechanism such as
NIS,
Kerberos, or
LDAP.
Contents1Password file 2 Shadow file 3 History 4 See also 5 References 6 External links |
Password file
The/etc/passwdfile is a text-based database of information about
users that may login to the system or other operating system user identities that own running processes.
In many operating systems this file is just one of many possible back-ends for the more general
passwd name service.
The file's name originates from one of its initial functions as it contained the data used to verify
passwords of user accounts. However, on modern
Unix systems the security-sensitive password information is instead often stored in a different file using
shadow passwords, or other database implementations.
The
/etc/passwdfile typically has
file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the
superuser or by using a few special purpose privileged commands.
The
/etc/passwdfile is a
text file with one record per
line, each describing a
user account. Each record consists of seven fields separated by
colons.[1] The ordering of the records within the file is generally unimportant.
An example record may be:
jsmith:x:1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/sh
The fields, in order from left to right, are:[2]
The first field is the user name, i.e. the string a user would type in when logging into the operating system: the
logname. Each record in the file must have a unique user name field.
The second field stores information used to validate a user's
password; however in most modern uses this field is usually set to "x" (or some other indicator) with the actual password information being stored in a separate
shadow password file. Setting this field to an asterisk "*" is the typical way to deactivate an account to prevent it being used.
The third field is the
user identifier, the number that the operating system uses for internal purposes. It does not have to be unique.
The fourth field is the
group identifier. This number identifies the primary group of the user; all files that are created by this user may initially be accessible to this group.
The fifth field, called the
Gecos field, is commentary that describes the person or account. Typically, this is a set of comma-separated values including the user's full name and contact details.
The sixth field is the path to the user's
home directory.
The seventh field is the program that is started every time the user logs into the system. For an interactive user, this is usually one of the system's
command line interpreters (shells).
Shadow file
/etc/shadowis used to increase the security level of passwords by restricting all but highly privileged users' access to hashed password data. Typically, that data is kept in files owned by and accessible only by the
super user.
Systems administrators can reduce the likelihood of brute force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the
passwddatabase itself readable only by the root user. However, this would restrict access to other data in the file such as username-to-userid mappings, which would break many existing utilities and provisions. One solution is a "shadow" password
file to hold the password hashes separate from the other data in the world-readable
passwd file. For local files, this is usually
/etc/shadowon
Linux and Unix systems, or
/etc/master.passwdon
BSD systems; each is readable only by root. (Root access to the data is considered acceptable since on systems with the traditional "all-powerful root" security model, the root user would be able to obtain the information in other ways in any case).
Virtually all recent
Unix-like operating systems use shadowed passwords.
The shadow password file does not entirely solve the problem of attacker access to hashed passwords, as some network authentication schemes operate by transmitting the hashed password over the network (sometimes in
cleartext, e.g., Telnet[3]), making it vulnerable to interception. Copies of system data, such as system backups written
to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication
checks at high rates of speed.
On a system without shadowed passwords (typically older Unix systems dating from before 1990 or so), the
passwd file holds the following user information for each user account:
Username
Salt combined with the current hash of the user's password (usually produced from a
cryptographic hash function)
Password expiration information
User ID (UID)
Default group ID (GID)
Full name
Home directory path
Login shell
The passwd file is readable by all users so that
name service switch can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), but only the root user can write to it. This means that an attacker with unprivileged access to the system can obtain the hashed form
of every user's password. Those values can be used to mount a
brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed
login attempts. Users often select passwords vulnerable to such
password cracking techniques.[4]
With a shadowed password scheme in use, the
/etc/passwdfile typically shows a character such as '
*', or '
x' in the password field for each user instead of the hashed password, and
/etc/shadowusually contains the following user information:
User login name
salt and hashed password OR a status exception value e.g.:
"$id$salt$hashed", where "$id" is the algorithm used (On GNU/Linux, "
$1$" stands for
MD5, "
$2a$" is
Blowfish, "
$5$" is
SHA-256 and "
$6$" is
SHA-512,
crypt(3) manpage, other Unix may have different values, like
NetBSD).
"NP" or "!" or null - No password, the account has no password.
"LK" or "*" - the account is Locked, user will be unable to log-in
"!!" - the password has expired
Days since
epoch of last password change
Days until change allowed
Days before change required
Days warning for expiration
Days before account inactive
Days since Epoch when account expires
Reserved
The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical
to the order of the corresponding users in the password file.
History
Password shadowing first appeared in UNIX systems with the development ofSystem V Release 3.2 in 1988 and
BSD4.3 Reno in 1990. But, vendors who had performed ports from earlier UNIX releases did not always include the new password shadowing features in their releases, leaving users of those systems exposed to password file attacks.
System administrators may also arrange for the storage of passwords in distributed databases such as
NIS and
LDAP, rather than in files on each connected system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled
by the security mechanisms of the underlying data repository.
In 1987 the author of the original Shadow Password Suite, Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing the
login,
passwdand
sucommands. The original release, written for the SCO
Xenix operating system, quickly got ported to other platforms. The Shadow Suite was ported to
Linux in 1992 one year after the original announcement of the Linux project, and was included in many early distributions, and continues to be included in many current
Linux distributions.
In the past, it was necessary to have different commands to change passwords in different authentication schemes. For example, the command to change a NIS password was
yppasswd. This required users to be aware of the different methods to change passwords for different systems, and also resulted in wasteful duplication of code in the various programs that performed the same functions with different
back ends. In most implementations, there is now a single passwd command, and the control of where the password is actually changed is handled transparently to the user via
pluggable authentication modules (PAMs). For example, the type of hash used is dictated by the configuration of the
pam_unix.somodule. By default, the
MD5 hash has been used, while current modules are also capable of stronger hashes such as
blowfish,
SHA256 and
SHA512.
原址:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Introduction_To_System_Administration/s3-acctsgrps-shadow.html
6.3.2.2. /etc/shadow
Because the /etc/passwdfile must be world-readable (the main reason being that this file is used to perform the translation from UID to username), there is a risk involved in storing everyone's password in
/etc/passwd. True, the passwords are encrypted. However, it is possible to perform attacks against passwords if the encrypted password is available.
If a copy of
/etc/passwdcan be obtained by an attacker, an attack that can be carried out in secret becomes possible. Instead of risking detection by having to attempt an actual login with every potential password
generated by password-cracker, an attacker can use a password cracker in the following manner:
A password-cracker generates potential passwords
Each potential password is then encrypted using the same algorithm as the system
The encrypted potential password is then compared against the encrypted passwords in
/etc/passwd
The most dangerous aspect of this attack is that it can take place on a system far-removed from your organization. Because of this, the attacker can use the highest-performance hardware available, making it possible to go through massive numbers
of passwords very quickly.
Therefore, the
/etc/shadowfile is readable only by the root user and contains password (and optional password aging information) for each user. As in the
/etc/passwdfile, each user's information is on a separate line. Each of these lines is a colon delimited list including the following information:
Username — The name the user types when logging into the system. This allows the
login application to retrieve the user's password (and related information).
Encrypted password — The 13 to 24 character password. The password is encrypted using either the
crypt(3)library function or the md5 hash algorithm. In this field, values other than a validly-formatted encrypted or hashed password are used to control user logins and to show the password status. For example, if the value is
!or
*, the account is locked and the user is not allowed to log in. If the value is
!!a password has never been set before (and the user, not having set a password, will not be able to log in).
Date password last changed — The number of days since January 1, 1970 (also called the
epoch) that the password was last changed. This information is used in conjunction with the password aging fields that follow.
Number of days before password can be changed — The minimum number of days that must pass before the password can be changed.
Number of days before a password change is required — The number of days that must pass before the password must be changed.
Number of days warning before password change — The number of days before password expiration during which the user is warned of the impending expiration.
Number of days before the account is disabled — The number of days after a password expires before the account will be disabled.
Date since the account has been disabled — The date (stored as the number of days since the epoch) since the user account has been disabled.
A reserved field — A field that is ignored in Red Hat Enterprise Linux.
Here is an example line from
/etc/shadow:
juan:$1$.QKDPc5E$SWlkjRWexrXYgc98F.:12825:0:90:5:30:13096:
This line shows the following information for user
juan:
The password was last changed February 11, 2005
There is no minimum amount of time required before the password can be changed
The password must be changed every 90 days
The user will get a warning five days before the password must be changed
The account will be disabled 30 days after the password expires if no login attempt is made
The account will expire on November 9,2005
For more information on the
/etc/shadowfile, see the
shadow(5)man page.
还有一个参考网址:http://linux.die.net/man/5/shadow
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Linux /etc/passwd和shadow文件详解
- Linux下/etc/passwd和/etc/shadow文件详解
- linux /etc/shadow文件详解
- 转:Linux下/etc/shadow文件全面详解
- linux 系统中 /etc/passwd 和 /etc/shadow文件详解
- linux etc下 passwd 、shadow和group文件详解
- linux 系统中 /etc/passwd 和 /etc/shadow文件详解
- linux中 /etc/group文件详解
- Linux下passwd和shadow文件内容详解
- Linux下/etc/fstab文件详解
- linux /etc下的配置文件详解--Linux用户配置文件
- linux 里 /etc/passwd 、/etc/shadow和/etc/group 文件内容解释
- 每天一个linux命令: /etc/group文件详解
- linux根文件系统 /etc/shadow文件详解
- Linux-自动挂载文件/etc/fstab功能详解
- linux 里 /etc/passwd 、/etc/shadow和/etc/group 文件内容解释
- linux中的/etc/shadow文件简介
- /etc/shadow文件各段意义详解 上次更改密码期限计算
- 每天一个linux命令(31): /etc/group文件详解
- Linux /etc/profile文件详解