Almost all Unix-like operating system password files are formatted in the same format, and Linux is no exception. Password security is one of the traditional security problems of Linux operating system.
Traditional Password and shadow password
/ETC/PASSWD is the password file that holds the user's basic information. Each line of the password file contains 7 domains separated by 6 colons:
Username:passwd:uid:gid:comments:directory:shell
The above 7 fields from left to right are described separately as follows:
Username: is the name that the user logs in use.
passwd: Is the password ciphertext domain. Ciphertext is a password that has been encrypted. If the password is passed shadow the password ciphertext field displays only one x, and passwords should normally be shadow to ensure security. If the password ciphertext field is displayed as *, the username is valid but not logged in. If the password ciphertext field is empty, it means that the user does not need a password to log in.
UID: A number that the system uses to uniquely identify the user name, which is assigned by the UID system:
0 super users
1~10 Daemon and pseudo user
11~99 System retains user
100~ Normal User
GID: Represents the default group number where the user resides. decided by the/etc/group file.
Comments: Describes the user's personal information.
Directory: Defines the user's initial working directory.
Shell: is the shell program that the specified user launches after logging into the system.
Table 1 lists the standard users that the system created during the installation process, and the contents of the table are consistent with the description of the/etc/passwd file.
Table 2 lists the standard user groups that are created during system setup and are consistent with the/etc/group files:
Linux uses an irreversible encryption algorithm such as DES to encrypt passwords, because the encryption algorithm is irreversible, so from the ciphertext is not clear. The problem is that the/etc/passwd file is globally readable, the encryption algorithm is public, and if a malicious user gets the/etc/passwd file, he can take all possible plaintext through the same algorithm to calculate the ciphertext for comparison until the same, so he cracked the password. Therefore, in response to this security issue, Linux/unix widely adopted the "Shadow (Shadow)" mechanism, the encrypted password transferred to the/etc/shadow file, the file is only readable by the root superuser, while the/etc/passwd file's ciphertext field is displayed as an X, Thus minimizing the chance of disclosure of ciphertext.
Each line of the/etc/shadow file is divided into 9 domains with 8 colons, in the following format:
LASTCHG: Indicates the number of days from January 1, 1970 to the last time the password was modified.
Min: Represents at least the number of days between passwords that have been modified two times.
Max: The maximum number of days that the password will also be valid, and if 99999 means never expire.
Warn: Indicates how many days before the password fails the system alerts the user.
Inactive: Indicates the number of days that the user name is not valid before landing.
Expire: The time that the user is forbidden to log in. 0
Flag: meaningless, unused.
Enable Shadow Password
RedHat Linux default installation Shadow, if you find that your system/etc/passwd files can still see redaction, it means that you did not enable shadow. You can perform pwconv to enable shadow.
In Redhat Linux 7.1, the Shadow Toolkit (Shadow Utils) contains several tools to support the following features:
The conversion tool between traditional password and shadow password: Pwconv, Pwunconv.
Verify passwords, groups, and corresponding shadow files: Pwck, GRPCK.
Add, delete, and modify user accounts in accordance with industry-standard methods: Useradd, Usermod, Userdel.
Add, delete, and modify user groups in accordance with industry-standard methods: Groupadd, Groupmod, Groupdel.
Manage document/etc/group in accordance with industry-standard methods.
These tools work correctly regardless of whether the shadow mechanism is enabled for the system.
Change the minimum length of a Linux password
Linux system default Minimum password length is 5 characters, this length is not enough to ensure the robustness of the password, should be changed to a minimum of 8 characters, edit the/etc/login.defs file, in this file, will
Pass_min_len 5
To
Pass_min_len 8
Table 1
User Uid GID Directory Shell
Root 0 0/root/bin/bash
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
