Linux,/etc/passwd,/etc/shadow detailed

Account management The most important two files are '/etc/passwd and/etc/shadow '!  These two files can be said to be one of the most important files in Linux! If you do not have these two files, hehe! You can't log in to Linux! So, let's start by explaining the two files below. Of course, more detailed information you can yourself man 5 passwd and man 5 Shadow ~

#/etc/passwd
The structure of this file is this: Each line represents an account, a few lines will represent a few accounts in your system! However, special attention is paid to theMany of the accounts in the system must be required, we can simply call him a system account,For example, Bin, daemon, ADM, nobody, and so on, these accounts are required for the normal operation of the system, please do not arbitrarily kill him! The contents of this file are somewhat like this:

Root:x:0:0:root:/root:/bin/bash
Bin:x:1:1:bin:/bin:/sbin/nologin
Daemon:x:2:2:daemon:/sbin:/sbin/nologin
Adm:x:3:4:adm:/var/adm:/sbin/nologin

Let's take a look at the first line that every Linux system will have, root is the system administrator that line, you can clearly see, each line using ': ' separated by a total of seven, respectively:

1. Account name: Is the name of the account! corresponding to the UID! For example, root is the default system administrator's account name;

2. Password: the password of the early Unix system is placed in this file, but because this file is the characteristics of all the programs can be read, so it is easy to cause the data is stolen, so later on this field of the password information to his/etc/shadow, about/etc/ Shadow this part to wait for a moment to say. And here you will see an X, hehe! Don't worry, this means that the password has been moved to shadow this encrypted file.

3. UID: This is the user identification Code (ID)! Linux usually has several limitations on the UID that you need to know:
ID range the ID consumer attribute
　　 0 When UID is 0 o'clock, this account is ' system Administrator '! So when you want to make another system administrator account, you can change the UID of the account to 0, that is to say, a system above the system administrator is not only root Oh! However, it is not recommended to have multiple account UID is 0 ~
　　 1~499 reserved for the system to use the ID,In fact, 1~65534 between the account is not different, that is, except 0, the other UID is not the same,Presets 500 The following to the system as a reserved account is just a habit. The advantage is that the well-known DNS server startup service ' named ' For example, the program's default owner named Account UID is 25, when there are other accounts is also 25 o'clock, it is likely to cause some small system problems! To eliminate this problem, it is recommended to retain the UID of 500 before the system!
　　 However, in general, 1~99 will be reserved to the system preset account, while the other 100~499 is reserved for some services to use.
　　 500~65535 for ordinary users. In fact, the current Linux core (2.6.x version) has been able to support the 4294967295 (2^32-1) Such a large UID number Oh!

Do you understand the above explanation? Yes, the UID is 0 when it is root yo! So please pay special attention to your/etc/passwd file!

4. GID: This is related to/etc/group! In fact, the concept of/etc/group and/etc/passwd almost, but he is used to standardize the group!

5. User Information Bar: This field is basically not important to use, just to explain the meaning of this account! However, if you provide the ability to use finger, this field can provide a lot of information! The bottom chfn can explain it!

6. Home directory: This is the user's home directory, take the above as an example, Root's home directory in/root, so when the root log in, will immediately run into the/root inside! Oh! If you have an account with a particularly large space, you want to move the account's home directory to another hard drive, no mistake! You can make the changes here! Pre-set user home directory in/home/youridname

7. Shell: The so-called shell is used to communicate the human orders and hardware between the real action of the interface! We usually use the shell of/bin/bash to release instructions! Hey! Did you find it? We've mentioned many times in the Bash chapter, why is bash a preset when you log in to Linux? This is what is set here. It is important to note that there is a shell that can be used as an alternative to the instructions that make the account unavailable to log in! That's/sbin/nologin this thing! This can also be used to create pure POP mail account of the person's information!

#/etc/shadow
As mentioned above, because each program needs to obtain the UID and GID to determine the permissions of the problem, so,/etc/passwd permissions must be set to-rw-r--r--such a permission, in such a case, the user's password can not be seen by anyone? Even if the password bar in this file is encrypted, a bad-hearted friend may use brute force to try and error to find your password information ...

Because of this kind of relationship, so later developed a password to move to/etc/shadow this file separate technology, but also add a lot of password limit parameters in/etc/shadow! Let's start by understanding the structure of this file! My/etc/shadow file is a bit like this:

Root:$1$i9ejldjfjio389u9sjl$jljsoi45qe/:12959:0:99999:7:::
Bin:*:12959:0:99999:7:::
Daemon:*:12959:0:99999:7:::
Adm:*:12959:0:99999:7:::

Basically, shadow the same as ': ' As a separator, if you count, you will find a total of nine columns Ah, the purpose of these nine columns is this:

1. Account name: Because the password also need to correspond with the account AH ~ Therefore, the first column of this file is the account number, must be the same as/etc/passwd!

2. Password: This is the real password, and is a coded password! You'll only see the letters with some special symbols! It should be noted that although these encrypted passwords are difficult to solve, the ' hard ' is not equal to ' no ', so the default attribute of this file is '-rw-------' or '-r--------', that is, only root can read and write! You have to be careful not to accidentally change the properties of this file!  Also, if the first character in the password bar is ' * ' or '! ' means that the account will not be used to log in. So in case one day your user is not good, you can first in this file, the most front of his password field to add a *! Hey! He won't be able to use the account! Until he becomes a good boy, turn it on again!

3. Date of recent password change: This field records the date of ' The day the password was changed ', but it's strange! How can it be 12959 in my case?  Oh, this is because the time to calculate the Linux date is January 1, 1970 as 1, and January 1, 1971 is 366! So this date is cumulative! Have to pay attention to this information yo! So the last January 1, 2005 is 12784, do you understand?

4. Number of days the password cannot be changed: The fourth field records the password of this account after a few days before it can be altered! If it is 0, it means that the password can be changed at any time. The limit is to be afraid of the password by some people to change and redesign! If set to 20 days, then after you set the password, within 20 days can not change the password yo!

5. The number of days the password needs to be re-changed: Because of the fear that the password was stolen by some ' people ' to compromise the security of the whole system, so the design of this field. You must reset your password within this time, or the account will expire temporarily.  And if like above 99999, that means, hehe, the password does not need to re-enter! However, if it is for security, it is best to set a period of time after the strict requirements of users to change the password!

6. Password need to change the warning period before the deadline: when the password expiration period of the account is about to arrive, is the above the ' must change password ' at the time, the system will be based on the setting of this field, issued ' warning ' speech to this account, remind him ' N days your password will expire, Please re-set your password as soon as possible! ', as in the above example, the system warns the user within 7 days of the expiration of the password.

7. Password Expiration Time: If the user has not re-entered the password after the warning period, so that the password expires, that is, you must change the password before the deadline, and did not change your password! ' Then this group password is called ' Invalid password ' ~ What to do? It doesn't matter, there is the number of days of this field design ah ~ meaning, when the password expires, you can also use this password in n days to log in the meaning. And if after this number of days there is no change password, hehe! Then your account will expire! Unable to log in!

8. Account Expiration Date: This date is the same as the third field, which is set to the total number of days since 1970 years. This field indicates that the account will no longer be available after the date specified in this field. This field will usually be used in the ' Toll service ' system, you can specify a date so that the account can no longer be used!

9. Reservation: The last field is reserved, see if there are any new features to join.

For example, well, if my dmtsai this user's password bar looks like this:

DMTSAI:$1$8ZDAKDFC$XDA8ESUS2I7NQL7UJRSIY/:13025:5:60:7:2:13125:

What does that mean? Note that 13025 is 2005/08/30, so the Dmtsai of the user's password is:

* The latest password change date is 2005/08/30 (13025);
* The time to change the password is 5 days later, that is, before 2005/09/04 Dmtsai can not modify their password, if the user or try to change their password, the system will appear this message:

You must wait longer to the change your password
Passwd:authentication Token manipulation Error

* Users must change their password within the 60-day limit between 2005/09/04 and 2005/10/29, and if the password is not changed after 2005/10/29, the account will be declared invalid;
* If the user has not changed the password, then in the 7 days before 2005/10/29, the system will warn Dmtsai should change the password information, for example, when Dmtsai logged in, the system will proactively prompt the following information:

Warning:your password'll expire in 5 days

* If the account has not changed the password until 2005/10/29, due to the two days of the time limit, so Dmtsai can continue to log in until 2005/10/31;
* If the user has changed the password before 2005/10/29, then the 13025 date will be changed, so all the constraint dates will follow the relative changes! ^_^
* No matter how the user action, to 13125, about 2005/12/8, the account will expire ~

In this way, you should be more easy to understand it?! ^_^
Tips:
Often hear: my password has been forgotten or altered? What to do?

Sometimes this happens, that is, your root password is forgotten! What to do? Reinstall it? In addition, sometimes it is invaded, root password has been changed, how is good?

　　 this time must be used to/etc/shadow this information! We just know that the password exists in this file, so as long as you can boot into Linux in a variety of ways, such as single-player maintenance mode, or live CD (KNOPPIX) to enter the Linux system. After that, the hard drive is mounted smoothly and then into the/etc/shadow file, which clears the root password column! Then log in to Linux once, this time root will not need the password (sometimes need to enter a blank character) can log in! At this time, please quickly set the root password to passwd.

Linux,/etc/passwd,/etc/shadow detailed