Shadow password file for Linux

The first applet in the book "Python stunt" first showed the ability to hack against the shadow file password in a UNIX system, because it was previously just a phase where the shadow file was stored in the user's password, but was not studied in detail. So the weekend two days specially spent time to study well.
1.passwd Files and Shadow files
Earlier in Unix, there was no/etc/shadow this file. All information for a user is saved in the/etc/passwd file only, and the encrypted user password is saved in the second field of the passwd file. So why do you produce shadow files?
First we look at the detailed permissions of the passwd file via LS:
-rw-r--r-- 1 root root 1505 Mar 6 22:34 /etc/passwd
It can be seen that each user is readable, then this does not expose the user password to anyone? Although it is too dense, there are security issues.
Now the file permissions are this: (Note that/USR/BIN/PASSWD has a setuid s identity bit in addition to the RWX permission)
-rwsr-xr-x. 1 root root 30768 Feb 22 2012 /usr/bin/passwd
---------- 1 root root 964 Mar 6 22:34 /etc/shadow
First, by removing all permissions to the shadow file, it is guaranteed that only root can read and write to the shadow file (root is the Tenjin, no special instructions for any files are under the jurisdiction of root). So the ordinary user to change the password when the shadow file must be changed AH? Implemented by/USR/BIN/PASSWD's S-bit.
The normal user's change password process is this:
The test user invokes the/USR/BIN/PASSWD command to modify his or her password because passwd is executable to any user, and the s-bit specifies that all executable users will be rooted when executing this command. So this time the test user takes root permission to read and write the shadow file, and when the command is finished, the test becomes lost root. Can be seen through the separation of shadow files, not only to ensure that ordinary users of their own password modification, but also to ensure that ordinary users do not see the encrypted password string to enhance security.
Composition of 2.shadow files
root:$1$abcdefg$Qp6zr7K0tHxV79N9cCLSc1:16866:0:99999:7:::
Account Name: Root
Password after encryption:$1$abcdefg$Qp6zr7K0tHxV79N9cCLSc1
Date the password was last modified: 16866
Number of days the password cannot be changed: 0
Number of days the password needs to be re-changed: 99999 (99999 indicates no change required)
Days before password change warning: 7
Account Expiration Date: None
Account Cancellation Date: None
Reserved entries, currently useless
The password portion of the 3.shadow file
The password portion of the shadow file consists of three parts,‘$‘Segmentation.
With the aboverootUser's password as an example, follow‘$‘After partitioning is the encryption Method (1), the Salt value (abcdefg), after the encrypted cipher string (Qp6zr7K0tHxV79N9cCLSc1）。
First look at the first encryption method, there are currently 6 encryption methods, the most common only 3 kinds:
1:MD5 encryption, cipher length 22
5:sha-256 encryption, cipher length 43
6:SHA-512 encryption, cipher length 86
4. Manually generate the password string (tested on centos6.5)
Method One: The Dovecotadm command is provided in the Dovecot package.
Like what:doveadm pw -s SHA512-CRYPT, where the s parameter can be selected in a variety of encryption methods, such as Sha512-crypt,sha256-crypt,md5-crypt.
Method Two: The PASSWD subcommand is available in the OpenSSL package.
Like whatopenssl passwd -1, but I found only support for MD5.
Method Three: The default Python comes with the Crypt library.

__import__ ("Crypt"). Crypt ("Password", "$1$abcdefg$") 1

If you do not want to set the specified salt value yourself, you can use the Mksalt function of the crypt library to generate it automatically and provide md5,sha256,sha512 full support.

Shadow password file for Linux