Compared with the Windows operating system, the Linux system is difficult to penetrate and control. The root cause is the security mechanism of Linux. After strict minimum permissions are set for applications such as Web
Compared with the Windows operating system, the Linux system is difficult to penetrate and control. The root cause is the security mechanism of Linux. After strict minimum permissions are set for applications such as the Web, even if the attacker obtains the webshell, it is difficult to escalate permissions. Some intruders will also analyze the password information and password habits of administrators and users on the server, and conduct another attack through social engineering. in the case of good luck, they are very likely to obtain server permissions. Therefore, for Linux servers, in addition to setting strict permissions and promptly updating vulnerability patches, you also need to set a strong password. This article discusses Linux operating system password principles, how to crack Linux passwords, and how to set secure passwords.
1.1Linux password principle
1. Linux password structure
In Linux, there are two important files related to the system logon password:/etc/passwd and etc/shadow. The first file records user information, and the second file stores user password information. In/etc/passwd, each row represents the information of a user. a row has seven field bits. each field bits are separated by a colon. For example, the following two lines of/etc/passwd in Linux are in the format of username: x: UID: GID: username full: username home: shell type.
Field 1: user name (also known as the login name );
Field 2: Password. x indicates that the password has been mapped to the/etc/shadow file;
Field 3: UID;
Field 4: GID;
Field 5: full name of the user name, which is optional and can be left unspecified.
Field 6: location of the user's home directory;
Field 7: SHELL type used by the user, usually/bin/bash;
The/etc/shadow file is a shadow file of/etc/passwd. This file is not generated by/etc/passwd. the two files should be complementary; the shadow content includes the user name, the encrypted password, and other information not included in/etc/passwd, such as the user's validity period. This file can be read and operated only with the root permission.
The content of the/etc/shadow file contains nine segments, which are separated by colons. The study found that even if the two accounts have the same password, their encryption values are different. The meanings of each field are as follows:
Field 1: username (also known as the login name). the username in/etc/shadow is the same as that in/etc/passwd, in this way, passwd is associated with the user records in shadow. This field is not empty;
Field 2: password (encrypted). if x is used in this section, the user cannot log on to the system. This field is not empty;
Field 3: The time when the password was last modified. This is the interval (days) from January 1, January 01, 1970 to the last time the password was modified. you can use passwd to modify the user's password and view the changes in this field in/etc/shadow;
Field 4: The minimum number of days between two password changes, that is, the number of days after which the user can change the password. If it is set to 0, this function is disabled. This function is not very useful. the default value is obtained from the definition of the/etc/login. defs file, which is defined in PASS_MIN_DAYS;
Field 5: The maximum number of days between two password changes. This enhances the administrator's timeliness of managing user passwords. it should be said that the system security is enhanced. the default value of the system is/etc/login when users are added. obtained in defs file definition, defined in PASS_MAX_DAYS;
Field 6: The number of days in advance to warn the user that the password will expire. After a user logs on to the system, the system logon program reminds the user that the password will be voided. The default value is obtained in the definition of the/etc/login. defs file when a user is added. it is defined in PASS_WARN_AGE;
Field 7: how many days after the password expires to disable this user. This field indicates how many days after the user's password is voided, the system will disable the user, that is, the system will not allow the user to log on again, nor will it prompt the user to expire, completely disabled;
Field 8: User Expiration Date. This field specifies the number of days the user has expired (the number of days since January 1,). If the value of this field is blank, the account is permanently available;
Field 9: reserved field. it is currently empty for future development of Linux;
For example, the root account of a system is displayed in the etc/shadow file as root: $1 $ kbIAhX/R$ PiLL1U. n6bivtIr4oTi2y0: 15377: 0: 99999: 7 :::.
2 Linux password file location
For most Linux operating systems, the password file name is called shadow. for some special Linux/Unix operating systems, the password file name is called passwd, and the location of the password file is different. Below are some common Linux system password file locations:
Linux /etc/shadowSystemV Release 4.2 /etc/securitySystemV Release 4.0 /etc/shadowSunOS 5.0 /etc/shadowSCOUnix / tcb /auth/files/OSF/1 /etc/passwdHP-UX /.secure/etc/ passwdBSD4.x /etc/master.passwdAIX3 /etc/security/passwdIRIX5 /etc/shadow
1.2 encryption algorithms used in Linux
1. view the password encryption algorithm
The password of the Linux account is encrypted and stored in the/etc/shadow file. Which encryption method is used for the Linux operating system password depends on/etc/pam. d/system-auth or/etc/pam. d/passwd file definition, through more/etc/pam. the d/system-auth or authconfig -- test | grep hashing command can be used to obtain the encryption algorithm used by the operating system. Currently, there are sha256, sha512, and md5 encryption algorithms.
In Red Hat Enterprise Linux Server, you can use the authconfig -- test | grep hashing command to obtain the password encryption algorithm of the current system account,
2. five encryption algorithms are used for Linux/UNIX.
Linux/UNIX operating systems currently use five encryption algorithms, which can be identified by the encrypted password value, mainly by the $ X following the account. $1 represents the MD5 encryption algorithm, $2 represents the Blowfish encryption algorithm, $5 represents the SHA-256 encryption algorithm, $6 represents the SHA-512 encryption algorithm, the rest are standard DES. For example, "root: $1 $ kbIAhX/R$ PiLL1U. n6bivtIr4oTi2y0: 15377: 0: 99999: 7 ::", the encryption algorithm is md5.
1.3 Linux password operation
In the early Linux system, the/etc/passwd file contains information of each user in the system. of course, after a certain number and logic algorithm, the user's password puts an operation result (visible string) stored in the passwd file, the encryption strength is not high. As a result, early hackers only need to get the/etc/passwd file, and the system has already captured half of it. Later, with the increase in security level, there was a situation where passwords in the passwd file were separately encrypted, and the encrypted results and other auxiliary information were stored in the shadow file. You can use the/usr/sbin/authconfig program to set the storage format and encryption algorithm. The password entered by the user upon logon is calculated and compared with the results in/etc/passwd and/etc/shadow. logon is allowed if it meets the requirements. otherwise, logon is denied.
For Linux password operations, you can add, delete, and modify the password. for the first time you add a user, you must set a password and change the password using "passwd ", delete password when deleting a user, the system automatically deletes the set password. You must have the Root permission to read the encrypted file by using the "cat/etc/shadow" command.
View the shadow file permissions: ls-l/etc/passwd/etc/shadowpasswd username to change or set the username user password. for example, passwd antian365 indicates setting or resetting the user password of the user antian365. Passwd-l antian365 locked user antian365 cannot change password passwd-d antian365 clear password of antian365 user; passwd-S antian365 query password status of antian365; chage-l antian365 view the password of a user. the password is limited to chage-E 12/30/2016-m 5-M 90-I 30-W 14 antian365. the password is set to January 1, December 30, 2016.
In addition, the minimum password change cycle is 5 days, and the maximum cycle is 90 days. a message is sent 14 days before the password expires, and the account is locked for 30 days after the password expires.
1.4 crack the Linux password
Before setting the Linux password safely, let's take a look at how to crack the Linux password. Linux uses DES (Crypt as the encryption function) or MD5 encryption algorithms. due to the large amount of computing, they are almost difficult to reverse crack. The DES password ciphertext is a string with 13 ASCII characters, while the start character of the MD5 password ciphertext is always "$1 $", as shown in Figure 2 is a Red Hat Linux. The attacker remotely overflows the server and obtains a logon interface with the root permission.