User Profiles (Passwd/shadow)

Administrators work, which is a very important part of managing accounts. As the whole system you are in the management, and all the general
Xi user account application. All of them will get assistance through your work needs. So, you need to know how he will manage the server host Gschirnwirt friends
Account! In managing the Linux Host account, we must first understand how Linux is adding and deleting each user!
One, user identifiers: UID and GID
Although we logged in to the Linux host, we entered our account number. But in fact, the Linux host will directly recognize the name of your account, he only know the digital ID (ID is a set of numbers). As the computer knows 0 and 1, the account is for ridiculed people easy to remember.

And your ID and account number corresponding to the/etc/passwd file.
Each user logged in will get at least two IDs, one user ID. UID), one is the group ID (group ID, referred to as GID). So how does the document infer his own owners and groups? The fact is to use UID and GID. Each file will have a so-called owner ID and a group ID, and when we have the need to display file attributes, the system will be based on the contents of/etc/passwd and/etc/group. Find Uid/gid the corresponding account and group name and then show it! We can do a little experiment, you can vi/etc/passwd the identity of root. Then change the ID of your general identity user to a random number. And then 刡 your general identity folder.
Take a look at the original file owned by the account, you will find that the owner of the file has become a number!
Demo Sample:
# 1. Check it out first. Is there a user in the system named Dmtsai?
[[email protected] ~]# grep ' Dmtsai '/etc/passwd
Dmtsai:x:503:504::/home/dmtsai:/bin/bash
[Email protected] ~]# ll-d/home/dmtsai
DRWX------4 Dmtsai dmtsai 4096 Feb 6 18:25/home/dmtsai
# Take a look, the user's field is Dmtsai!
# 2. Change, change our Dmtsai 503 UID to 2000 to see:
[Email protected] ~]# VI/ETC/PASSWD
.... (omitted earlier) ....
Dmtsai:x:2000:504::/home/dmtsai:/bin/bash <== Change the Special font section. Changed from 503 to 2000
[Email protected] ~]# ll-d/home/dmtsai
DRWX------4 503 Dmtsai 4096 Feb 6 18:25/home/dmtsai
# Because of the mess we've changed. So 503 can not find the corresponding account, so the number is displayed!
# 3. Let's just change the 2000 back!

[Email protected] ~]# VI/ETC/PASSWD
.... (omitted earlier) ....
Dmtsai:x:503:504::/home/dmtsai:/bin/bash
What you must know is that. The example above is only a description of the UID and account corresponding, in a normal operating Linux host environment. The above action cannot be done casually. This is due to the fact that there is already a lot of data being built on the system. Any change to the UID of some accounts on the system is likely to cause some programs to fail to execute. This will result in the system not working smoothly. Because of the permissions of the problem ah.


Second, user account
What does the user on the Linux system need to do if they want to log on to the host to get a shell environment to work? First, he must call the login interface provided by the Tty1~tty7 terminal in front of the computer and enter the account number and password before it can be logged in. Assuming that it is through the network, then at least users will have to learn the SSH function. So when you enter the account, password, the system to help you handle what?
1. Find out if there is an account you entered in/etc/passwd? If there is no then jump, assuming that the account corresponding to the
The UID and GID (in/etc/group) are read out, in addition. The home folder of the account and the shell settings are also read out;
2. The second is to check the password table. Then Linux will enter the/etc/shadow inside to find the corresponding account and UID, and then check the password you just entered and the password in the match?
3. Assuming everything is OK, you will enter the Shell control stage!

So let's introduce/etc/passwd,/etc/shadow.
Third,/ETC/PASSWD file structure
The structure of this file is this: Each line represents an account. There are several lines that represent a few accounts in your system. It is only important to note that very many of the accounts in it are necessary for the system to function properly. We can simply call him a system account, such as bin, Daemon, ADM, nobody and so on, these accounts please do not kill him arbitrarily!

The contents of this file are a bit like this.
[Email protected] ~]# head-n 4/etc/passwd
Root:x:0:0:root:/root:/bin/bash
Bin:x:1:1:bin:/bin:/sbin/nologin
Daemon:x:2:2:daemon:/sbin:/sbin/nologin
Adm:x:3:4:adm:/var/adm:/sbin/nologin
Let's take a look at the first line that every Linux system will have, that is, root, the system administrator's line. You can clearly see that. Each line is separated with ":". Together, we have seven parts. Each is:
1. Account Name:
is the account number. Used for the corresponding UID. For example, root UID corresponding is 0 (third field);
2. Password:
The password of the early Unix system was placed on this field! However, because of the characteristics of this file is all the program can be read. This was so easy that the password data was stolen, so the password data for this field was later changed to/etc/shadow. So here you will see a *!
3. UID:
This is the user identifier! Linux usually has several limitations on the UID that you need to know:
Demo Sample: ID range the ID consumer attribute
0 (System administrator)
When the UID is 0 o'clock, this account is the system administrator!

So when you want to have the other account names also have root permissions. Change the UID of this account to 0. That means. The system administrator on a system does not necessarily have root just!

It's just that. It is not recommended to have multiple accounts with a UID of 0.
1~499 (System account)

The ID reserved for the system, in fact, other than 0, other UID permissions and features are not different.

Default 500 The following numbers simply give the system as a reserved account just a habit. Because the services started on the system want to use smaller permissions to operate, and therefore do not want to use the identity of root to perform these services, so we have to provide these executing programs in the owner account. These system accounts are generally not logged in, so there will be

/sbin/nologin this particular shell exists.

According to the origin of the system account, usually the system account is also roughly divided into two types:
1~99: A system account set up by distributions itself;
100~499: If the user has the system account requirements, can use the account UID.
500~65535
(Can login account)
For ordinary users. In fact. The current Linux core (version 2.6.x) has been able to support the 4294967295 (2^32-1) UID.

4. GID:
This is related to/etc/group. In fact/etc/group and/etc/passwd almost the same, only he is used to standardize the group name and GID of the corresponding!
6. User Information Description Bar:
This field basically shipowner no weightlifting to use hand, just is 杢 explain this account meaning 丿! No, suppose you provide a feature that uses finger. This field can provide vigilance more interest!

The CHFN led order later in this chapter 杢 explain the instructions here.

7. Home folder:
This is the user's home folder, take the above example, the root home folder in/root. So when Root is logged in, it immediately runs into the/root folder.
8. Shell:
When the user is logged into the system, a Shell is made to communicate with the core of the system in order to carry out the user's operation tasks. So why is the default shell using bash? is specified in this field! It's more important to note here. There is a shell that can be used to replace the login action that prevents the account from getting the shell environment! That's/sbin/nologin this thing!

This can also be used to create pure POP mail account of the data!
IV. file Structure of/etc/shadow
We know that vigilance Multi-program operation is not the authority concerned, and the authority is not uid/gid about! Therefore, each Cheng need to read/etc/passwd 杢 to understand the permissions of the account.

So the/etc/passwd authority needs to be trained as-rw-r--r--, even though the early password have been encrypted. But put it on the second field of/etc/passwd! In this way very easy to be stolen by the password, the encrypted can also through the brute force to try and error (test) to find out. As a result of this relationship, it was later developed to separate technology from the password store to the/etc/shadow file. And it also adds a lot of password restrictions in/etc/shadow! Here, let's take a look at the structure of this file!

/etc/shadow files are a bit like this:
[Email protected] ~]# head-n 4/etc/shadow
Root:$1$/30qpe5e$y9n/d0bh6raacbez.hqo00:14126:0:99999:7::: <== Bottom
The following instructions are used
Bin:*:14126:0:99999:7:::
Daemon:*:14126:0:99999:7:::
Adm:*:14126:0:99999:7:::
Basically, shadow the same as ":" As the delimiter. There are nine fields together, and the purpose of these nine fields is this:
1. Account Name:
Because password also need to correspond with account, therefore, the first column of this file is account, must need to be same as/etc/passwd!

2. Password:
The data in this field is the real password, and it is encoded password (encryption)!
3. Date of recent changes to password:
This field records the date the day that the password was changed. It's just that. This is the date on which the Linux date was calculated as January 1, 1970 as 1.
The January 1, 1971 is 366!

The above 14126 refers to the 2008-09-04
That day!

and want to know this date can use chage instructions help!

You want to know the cumulative number of days for a particular date. You can use programs such as the following to calculate:
[[email protected] ~]# echo $ (($ (Date--date= "2008/09/04" +%s)/86400+1))
14126
4. Number of days password cannot be changed: (Compared to the 3rd field)
The fourth field records that the password of this account will have to be changed after a few days after a recent change! assumed to be
0, it means that password can change at any time.

The restrictions are designed for fear that password will be changed by someone. Such as
If the fruit is set at 20 days, you will not be able to change the password within 20 days after you have password the training.
5. Number of days password need to change again: (Compared to the 3rd field)
6. Password need to change the warning days before the deadline: (compared to the 5th field)
7. Password Expired account grace time (password expiration date): (Compared to the 5th field)
Password Effective date is "Update date (3rd field)" + "Change date again (5th field)", after which the user remains
No update to password, that password even if it expires.

Although the password expires, the account can still be used to do other work.
Include login system to get bash. Just assume the password expires, and when you log into the system, you will be forced to require
Once again set Password talent login continue to use, this is the password expiration feature.
8. Account Expiration Date:
This date is the same as the third field, which is set using the total number of days in 杢 for 1970 years. This field indicates: This account is
After the date specified in this field, it will no longer be available. is the so-called "account Failure", this time regardless of whether your password has
Period, this "account" can no longer be used! This field will usually be used in a "fee-for-service" system. You
Be able to set a date so that the account can no longer be used!
9. Reservations:
The last field is reserved to see if any new features are added later.
Demo Sample:
If my dmtsai this user's password column as seen below:
dmtsai:$1$vyuuj.ex$omt6lkjvmcizhx4h7ri1v.:14299:5:60:7:5:14419:
The first note is that 14299 is 2009/02/24. So dmtsai This user's password relevance is:
Because password almost only one-way operation (by the plaintext to become password. Cannot be pushed back by password), so the data from the table above
We have no way of knowing Dmstai's actual password plaintext.
The latest change in this account password is 2009/02/24 (14299).
Can change password time is 5 days later, that is, 2009/03/01 once Dmtsai can not change their password;
Suppose the user tries to change his or her password. This message will appear on the system:
You must wait longer to the change your password
Passwd:authentication Token manipulation Error
The returned message tells us that you will have to wait longer before you can change the password!
After the expiration date of password is set to 60 days, the cumulative days are: 14299+60=14359. It is calculated that the date represented by 2009/04/25.

This means that the user must be between 2009/03/01 and 2009/04/25
60 days within the limit to change their own password. If the password is not changed after 2009/04/25, the password is declared expired!

? The warning date is set to 7 days, which is 7 days before the expiration of the password, in this case the 2009/04/19 ~ 2009/04/25
These seven days. Assuming that the user has not changed the password, then in these 7 days, only to Dmtsai login system will be found such as the following
News:
Warning:your password'll expire in 5 days
Assuming that the account has not changed password until 2009/04/25, then password expires. However, there is a 5-day Grace Day
, so Dmtsai was able to use the old password to log in to the mainframe until 2009/04/30.

Just logging in will appear to force more
Change password situation, the picture is a bit like below:
You is required to change your password immediately (password aged)
Warning:your Password has expired.
You must change your password now and login again!
Changing password for user Dmtsai.
changing password for Dmtsai
(current) UNIX Password:
You will need to enter an old password and two new password before you can start using the system's resources. If you try to log in with Dmtsai after 2009/04/30, you will get an error message such as the following and cannot log into the system because this
When your password fails,
Your account has expired; Please contact your system administrator
Assuming that the user has changed password in 2009/04/25, the 3rd field will follow a change of 14299 days
Changes, therefore, all the order dates will be in accordance with the relative displacement!

Copyright notice: This article Bo Master original articles, blogs, without consent may not be reproduced.

User Profiles (Passwd/shadow)