Generate a password in the/etc/shadow file,

Source: Internet
Author: User
Tags crypt

Generate a password in the/etc/shadow file,

The format of the shadow file is not mentioned. Let's talk about its second column-Password column.

Generally, passwd can directly specify the password for the user. However, in some cases, you need to specify a password for the user to be created in advance, but also the encrypted password, such as the rootpw command in the kickstart file and the password specified in advance when ansible creates a user, at this time, you have to manually generate a reasonable password.

 

First, let's talk about the format of the second column in the shadow file. It is an encrypted password. It has some advantages. Different special characters indicate special meanings:

  • ① Leave this column blank, that is, ":", indicating that the user has no password.
  • ②. This column is "! ", That is ":! : ", Indicates that the user is locked and cannot log on if it is locked. However, other logon methods may be unrestricted, such as ssh Public Key Authentication and su authentication.
  • ③. The column "*", that is, ": *:", also indicates that the user is locked, and "! "The results are the same.
  • ④. This column uses "! "Or "!! ", It also indicates that the user is locked.
  • ⑤. This column is "!! ", That is ":!! : ", Indicating that the user has never set a password.
  • 6. If the format is "$ id $ salt $ hashed", the password is normal. $ Id $ indicates the encryption algorithm of the password, $1 $ indicates that the MD5 algorithm is used, and $ 2a $ indicates that the Blowfish algorithm is used, "$ 2y $" is Blowfish of another algorithm length, "$5 $" represents a SHA-256 algorithm, while "$6 $" represents a SHA-512 algorithm,

Currently, sha-512 algorithms are basically used, but both md5 and SHA-256 are still supported. $ Salt $ is the salt used for encryption, and hashed is the real password.

The following uses the encrypted password that generates the plaintext "123456" as an example.

To generate the md5 Algorithm password, use openssl.

openssl passwd -1 '123456'openssl passwd -1 -salt 'abcdefg' '123456'

After the password is generated, copy or replace it with the second column of the shadow file. For example, replace the password of the root user

shell> field=$(awk -F ':' '/^root/{print $2}' /etc/shadow)shell> password=$(openssl passwd -1 123456)shell> sed -i '/^root/s%'$field'%'$password'%' /etc/shadow

Openssl passwd does not support generating passwords for SHA-256 and sha-512 algorithms. On CentOS 6, you can use grub-crypt, the password generation tool provided by grub.

[root@server1 ~]# grub-crypt -hUsage: grub-crypt [OPTION]...Encrypt a password.  -h, --help              Print this message and exit  -v, --version           Print the version information and exit  --md5                   Use MD5 to encrypt the password  --sha-256               Use SHA-256 to encrypt the password  --sha-512               Use SHA-512 to encrypt the password (default)Report bugs to <bug-grub@gnu.org>.EOF
[root@server1 ~]# grub-crypt --sha-512Password: Retype password: $6$nt4hMDAYqYjudvfo$AKIZ3Z0o6/6HV6GKXqq21VEmh.ADFAZUQw2mvbIlplKx7gu9MQiEWjdmHnF2YPnYzgce1cP/bzDguVnUkMg/N.

Grub-crypt is actually a python script that interactively generates a password. The content of the grub-crypt file is as follows.

[Root @ server1 ~] # Cat/sbin/grub-crypt #! /Usr/bin/python ''' Generate encrypted passwords for GRUB. '''import cryptimport getoptimport getpassimport sysdef usage (): ''' Output usage message to stderr and exit. '''print> sys. stderr, 'usage: grub-crypt [OPTION]... 'print> sys. stderr, 'try' $ progname -- help \ 'for more information. 'sys. exit (1) def gen_salt (): # Generate a random salt ''' Generate a random salt. '''ret = ''with open ('/dev/urandom', 'rb ') As urandom: while True: byte = urandom. read (1) if byte in ('abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz ''. /0123456789 '): ret + = byte if len (ret) = 16: break return retdef main (): ''' Top level. '''crypt_type = '$6 $' # SHA-256 try: opts, args = getopt. getopt (sys. argv [1:], 'hv ', ('help', 'version', 'md5', 'sha-256', 'sha-512 ') Doesn't getopt. getoptError, err: print> sys. stderr, str (err) Usage () if args: print> sys. stderr, 'nexpected argument '% s \ ''% (args [0],) usage () for (opt, _) in opts: if opt in ('-H ', '-- help'): print (''' Usage: grub-crypt [OPTION]... encrypt a password. -h, -- help Print this message and exit-v, -- version Print the version information and exit -- md5 Use MD5 to encrypt the password -- SHA-256 Use SHA-256 to encrypt the password -- sha-512 Use SHA-512 to enc Rypt the password (default) Report bugs to <bug-grub@gnu.org>. EOF ''') sys. exit (0) elif opt in ('-V',' -- version'): print 'grub-crypt (GNU grub 0.97) 'sys. exit (0) elif opt = '-- md5': crypt_type =' $1 $ 'elif opt =' -- SHA-256 ': crypt_type = '$5 $ 'elif opt =' -- sha-512 ': crypt_type =' $6 $ 'else: assert False, 'unhandled option 'password = getpass. getpass ('password: ') password2 = getpass. getpass ('re Type password: ') if not password: print> sys. stderr, 'emptypassword is not permitted.' sys. exit (1) if password! = Password2: print> sys. stderr, 'Sorry, passwords do not match. 'sys. exit (1) salt = crypt_type + gen_salt () print crypt. crypt (password, salt) # generate the final encryption password if _ name _ = '_ main _': main ()

Unfortunately, grub2 is installed by default on CentOS 7 and does not provide grub-crypt. Therefore, the following python statement replaces grub-crypt with the grub-crypt content, which is also interactive.

python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

If you do not want to interact, change it to the following format:

python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))'

Now it's much more convenient. just assign the result to the variable.

[root@server1 ~]# a=$(python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))')[root@server1 ~]# echo $a$6$uKhnBg5A4/jC8KaU$scXof3ZwtYWl/6ckD4GFOpsQa8eDu6RDbHdlFcRLd/2cDv5xYe8hzw5ekYCV5L2gLBBSfZ.Uc166nz6TLchlp.

For example, ansible creates a user and specifies the password:

a=$(python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))')ansible  192.168.100.55 -m user -a 'name=longshuai5 password="$a" update_password=always'

 

Back to series article outline: http://www.cnblogs.com/f-ck-need-u/p/7048359.html

Reprinted please indicate the source: Success!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.