[20160420]shadow檔案格式口令加密.txt

[20160420]shadow檔案格式口令加密.txt

$ man 5 shadow
SHADOW(5)                File Formats and Conversions                SHADOW(5)

NAME
       shadow - encrypted password file

DESCRIPTION
       shadow contains the encrypted password information for user's accounts and optional the password aging
       information. Included is:

       . login name
       . encrypted password
       . days since Jan 1, 1970 that password was last changed
       . days before password may be changed
       . days after which password must be changed
       . days before password is to expire that user is warned
       . days after password expires that account is disabled
       . days since Jan 1, 1970 that account is disabled
       . a reserved field

# cat /etc/shadow |grep oracle
oracle:$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.:16911:0:99999:7:::

--主要關注加密欄位.
$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--以$作為分割,

--第1個欄位表示:

$1 = MD5 hashing algorithm.
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm

--很明顯這裡使用MD5 hashing algorithm.

--第2個欄位salt佔8位:
ZcwH7AWX

--第3個欄位就是口令的加密串=> password+slat的hash value.
0BlZZRahwsQ4hLIEUTBN5.

--我的測試口令是123456,測試看看:

$ openssl passwd -1 -salt ZcwH7AWX 123456
$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--正好對上!!

--實際上在安裝的時候可以選擇口令的加密演算法.
# grep password /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

# authconfig --test|grep hashing
password hashing algorithm is md5

# authconfig --passalgo=sha512 --update

# grep sha512 /etc/pam.d/system-auth
system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
--已經修改為sha512