Passwd shadow file description,

Source: Internet
Author: User

Passwd shadow file description,
User Account:/etc/passwd,/etc/shadow

You probably already know from the above descriptions, hey! The two most important files for account management are '/etc/passwd and/etc/shadow! These two archives are one of the most important archives in Linux! If you don't have these two files, haha! You cannot log on to Linux! Therefore, we will describe these two files first. Of course, you can use man 5 passwd and man 5 shadow for more details ~

#/Etc/passwd
The structure of this file is as follows: each row represents an account, and several lines represent several accounts in your system! However, note that,Many accounts are required in the system. We can simply refer to them as system accounts,For example, bin, daemon, adm, And nobody. These accounts are required for normal system operation. Please do not kill them at will! The file content is a bit like this:

Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin

Let's take a look at the first line of each Linux system, that is, the line of the root system administrator. You can clearly see that each line is separated, there are a total of seven things:

1. Account name: the account name! Corresponding UID! For example, root is the default account name of the system administrator;

2. password: the password of the early Unix system is stored in this file, but because this file is characteristic that all programs can read it, it is easy to cause data theft, therefore, I changed the password of this column to/etc/shadow. I will wait for the/etc/shadow part. Here you will see an x, huh, huh! Don't worry. This indicates that the password has been moved to the encrypted file shadow;

3. UID: This is the user ID! Linux has several restrictions on UID:
Id range this ID user feature
  0 when the UID is 0, it indicates that this account is 'System admin '!So when you want to be another System Administrator account, you can change the UID of this account to 0. That is to say, the system administrator on a system does not have to be root! However, it is not recommended that the UID of multiple accounts be 0 ~
  1 ~ 499 ID reserved for the system,Actually, 1 ~ There are no different accounts between 65534, that is, there are no different UID except 0,It is a habit to retain the account for the system by default below 500.The advantage is that, taking the startup service 'named' of the famous DNS server as an example, the default owner's Account UID for this program is 25, and when other accounts are 25, it may cause minor system problems! To prevent this problem, we recommend that you keep the UID before 500 to the system!
  However, in general, 1 ~ 99 will be retained to the default account, and the remaining 100 ~ 499 is reserved for some services.
  500 ~ 65535 for general users.As a matter of fact, the current linux core (2.6.x) already supports UID numbers as large as 4294967295 (2 ^ 32-1!

Can I understand the above instructions? Yes, when the UID is 0, it is root! So please pay special attention to your/etc/passwd file!

4. GID: this is related to/etc/group! In fact, the concept of/etc/group is similar to that of/etc/passwd, but it is used to regulate the group!

5. User Information Description column: This column is basically useless. It is only used to explain the meaning of this account! However, if you provide the finger function, this field can provide a lot of information! The chfn below can be explained!

6. Home Directory: This is the user's home directory. For example, the root home directory is in/root. So after the root log on, it will immediately run to/root! Haha! If you have an account with a very large space, you want to move the account's home directory to another hard drive. No error! You can modify it here! The default user's home directory is in/home/yourIDname

7. Shell: the so-called shell is used to communicate the real action interface between commands issued by humans and hardware! We usually use the/bin/bash shell to issue commands! Hey! I found it, right? We mentioned many times in the bash section. Why is it bash preset when I log on to Linux? It is set here ~ Note that there is a shell that can be used to replace the command that makes the account unable to log on! That's/sbin/nologin! This can also be used to create information for purely pop mail accounts!

#/Etc/shadow
As mentioned above, every program needs to obtain uid and gid to determine permissions. Therefore, the/etc/passwd permission must be set to-rw-r --. In this case, no one can view the user's password? Even if the password column in this file is encrypted, bad friends may use brute force cracking to try and error to find out your password ......

Because of this relationship, the technology to separate the file "/etc/shadow" will be released later. In addition, many password restriction parameters will be added to the/etc/shadow file! Let's first understand the structure of this file! My/etc/shadow file is a bit like this:

Root: $1 $ i9Ejldjfjio389u9sjl $ jljsoi45QE/: 12959: 0: 99999: 7 :::
Bin: *: 12959: 0: 99999: 7 :::
Daemon: *: 12959: 0: 99999: 7 :::
Adm: *: 12959: 0: 99999: 7 :::

Basically, shadow uses ':' as the separator. If you count a few, you will find a total of nine columns. The purpose of these nine columns is as follows:

1. Account name: The password must correspond to the account ~ Therefore, the first column of this file is the account, which must be the same as/etc/passwd!

2. Password: this is the real password, and it is a coded password! You will only see letters with some special characters! It should be noted that, although these encrypted passwords are hard to be decrypted, they are difficult to 'not equal to 'Not'. Therefore, the default attribute of this file is '-rw -------' or '-r --------'. That is, only root can read and write the file! You have to pay attention at any time, do not accidentally change the attributes of this file! In addition, if the first character in the password column is '*' or '! ', Indicating that this account is not used for login. So if one of your users is not good on that day, you can first add one at the top of the password field in this file *! Hey! He cannot use this account! Wait until he gets better, and enable it again!

3. Date of last password change: this field records the date of the day when the password is changed. However, it's strange! How can it be 12959 in my example? Oh, this is because the Linux date calculation takes January 1, 1970 as 1, and January 1, 1971 as 366! So this date is cumulative! Please pay attention to this information! So the last January 1, 2005 is 12784. Have you understood it?

4. days when the password cannot be changed: it takes several days to change the password recorded in the fourth column! If it is 0, the password can be changed at any time. This restriction is designed to prevent the password from being changed by some people! If the password is set to 20 days, you cannot change the password within 20 days after the password is set!

5. Number of days when the password needs to be changed again: this column is designed because the password is afraid of being stolen by some 'hearts' and endangering the security of the entire system. You must reset your password within this time period. Otherwise, this account will be temporarily unavailable. If it is like the above 99999, it means, haha, the password does not need to be re-entered! However, it is recommended that you change the password after a period of time to ensure security!

6. warning period before the Password Change Period: When the password expiration period of the account is approaching, it is the time at which the above "password must be changed, based on the settings in this field, the system will send a 'warning 'to this account to remind him that your password will expire in n days. Please reset your password as soon as possible! ', In the above example, the user is warned within 7 days before the password expires.

7. password Expiration period: if the user has not re-entered the password after the warning period, the password becomes invalid. That is to say, you must change the password before, your password has not been changed! 'The group of passwords is called 'invalid password ~ What should I do? It doesn't matter. There is still the number of days for this column ~ That is to say, when the password expires, you can also use this password to log on within n days. If you haven't changed the password after this day, huh, huh! Your account becomes invalid! Unable to log on!

8. Account Expiration date: This date is the same as the third column, which is set by the total number of days since January 1, 1970. This field indicates that this account cannot be used after the specified date in this field. This field is usually used in the 'billing service' system. You can set a date so that this account cannot be used any more!

9. Retained: The last column is retained to check whether new features are added in the future.

For example, assume that the password column of my dmtsai user is as follows:

Dmtsai: $1 $8 zdAKdfC $ XDa8eSus2I7nQL7UjRsIy //: 13025: 5: 60: 7: 2: 13125:

What does this mean? It should be noted that 13025 is. Therefore, the meaning of the user's password for dmtsai is:

* The last password change date is 2005/08/30 (13025 );
* The password can be changed five days later, that is, before 2005/09/04. dmtsai cannot change its password. If the user tries to change its password, the system will display the following message:

You must wait longer to change your password
Passwd: Authentication token manipulation error

* The user must modify his/her password within 60 days between /09/04 and /10/29. If the password is not changed after /10/29, the account becomes invalid;
* If the user has not changed the password, the system will warn dmtsai about changing the password within 7 days before. For example, when dmtsai logs in, the system prompts the following information:

Warning: your password will expire in 5 days

* If no password is changed for this account until, dmtsai can continue to log on to the account before due to the two-day grace period;
* If the user has changed the password before, the 13025 date will change accordingly. Therefore, all the restricted dates will change accordingly! Pai_^
* No matter how the user acts, the account becomes invalid when it reaches 13125, which is around /12/8 ~

Through this explanation, you should have understood it more easily ?! Pai_^
Tips:
I often hear that my password is forgotten or changed? What should I do?

Sometimes this happens, that is, your root password is forgotten! What should I do? Are you sure you want to reinstall it? In addition, sometimes the root password is compromised. How can this problem be solved?

  At this time, you must use the/etc/shadow document! We just know that the password exists in this file, so as long as you can boot into Linux in a variety of feasible ways, such as single-person maintenance mode, or use live CD (KNOPPIX) to enter the Linux system. Then, mount the hard drive smoothly, and enter the/etc/shadow file to clear all the root passwords! Then log on to Linux again. At this time, the root user does not need a password (sometimes a blank character is required) to log on! In this case, set the root password as passwd.

Yes.


Original article: http://blog.163.com/hanye_online/blog/static/19221717320119151321690/




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.