[20160420]shadow文件格式口令加密.txt

[20160420]shadow文件格式口令加密.txt

$ man 5 shadow
SHADOW(5)                File Formats and Conversions                SHADOW(5)

NAME
       shadow - encrypted password file

DESCRIPTION
       shadow contains the encrypted password information for user's accounts and optional the password aging
       information. Included is:

       . login name
       . encrypted password
       . days since Jan 1, 1970 that password was last changed
       . days before password may be changed
       . days after which password must be changed
       . days before password is to expire that user is warned
       . days after password expires that account is disabled
       . days since Jan 1, 1970 that account is disabled
       . a reserved field

# cat /etc/shadow |grep oracle
oracle:$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.:16911:0:99999:7:::

--主要关注加密字段.
$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--以$作为分割,

--第1个字段表示:

$1 = MD5 hashing algorithm.
$2 =Blowfish Algorithm is in use.
$2a=eksblowfish Algorithm
$5 =SHA-256 Algorithm
$6 =SHA-512 Algorithm

--很明显这里使用MD5 hashing algorithm.

--第2个字段salt占8位:
ZcwH7AWX

--第3个字段就是口令的加密串=> password+slat的hash value.
0BlZZRahwsQ4hLIEUTBN5.

--我的测试口令是123456,测试看看:

$ openssl passwd -1 -salt ZcwH7AWX 123456
$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--正好对上!!

--实际上在安装的时候可以选择口令的加密算法.
# grep password /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

# authconfig --test|grep hashing
password hashing algorithm is md5

# authconfig --passalgo=sha512 --update

# grep sha512 /etc/pam.d/system-auth
system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
--已经修改为sha512