Password file
来源:互联网 发布:gradle mac 环境变量 编辑:程序博客网 时间:2024/05/02 04:17
he /etc/passwd
file is a text-based database of information about users that may log in to the system or other operating system user identities that own running processes.
In many operating systems this file is just one of many possible back-ends for the more general passwd name service.
The file's name originates from one of its initial functions as it contained the data used to verify passwordsof user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations.
The /etc/passwd
file typically has file system permissions that allow it to be readable by all users of the system (world-readable), although it may only be modified by the superuser or by using a few special purpose privileged commands.
The /etc/passwd
file is a text file with one record per line, each describing a user account. Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant.
An example record may be:
jsmith:x:1001:1000:Joe Smith,Room 1007,(234)555-8910,(234)555-0044,email:/home/jsmith:/bin/sh
The fields, in order from left to right, are:[1]
- The first field is the user name, i.e. the string a user would type in when logging into the operating system: the logname. Each record in the file must have a unique user name field.
- The second field stores information used to validate a user's password; however in most modern uses this field is usually set to "x" (or some other indicator) with the actual password information being stored in a separate shadow password file. Setting this field to an asterisk ("*") is a common way to disable direct logins to an account while still preserving its name. Another possible value is "*NP*" which indicates to use an NIS server to obtain the password. [2]
- The third field is the user identifier, the number that the operating system uses for internal purposes. It does not have to be unique.
- The fourth field is the group identifier. This number identifies the primary group of the user; all files that are created by this user may initially be accessible to this group.
- The fifth field, called the Gecos field, is commentary that describes the person or account. Typically, this is a set of comma-separated values including the user's full name and contact details.
- The sixth field is the path to the user's home directory.
- The seventh field is the program that is started every time the user logs into the system. For an interactive user, this is usually one of the system's command line interpreters (shells).
Shadow file[edit]
/etc/shadow
is used to increase the security level of passwords by restricting all but highly privileged users' access to hashed password data. Typically, that data is kept in files owned by and accessible only by the super user.
Systems administrators can reduce the likelihood of brute force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the passwd
database itself readable only by the root user. However, this would restrict access to other data in the file such as username-to-userid mappings, which would break many existing utilities and provisions. One solution is a "shadow" password file to hold the password hashes separate from the other data in the world-readable passwd file. For local files, this is usually /etc/shadow
on Linux and Unix systems, or /etc/master.passwd
on BSD systems; each is readable only by root. (Root access to the data is considered acceptable since on systems with the traditional "all-powerful root" security model, the root user would be able to obtain the information in other ways in any case). Virtually all recent Unix-like operating systems use shadowed passwords.
The shadow password file does not entirely solve the problem of attacker access to hashed passwords, as some network authentication schemes operate by transmitting the hashed password over the network (sometimes incleartext, e.g., Telnet[3]), making it vulnerable to interception. Copies of system data, such as system backups written to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication checks at high rates of speed.
On a system without shadowed passwords (typically older Unix systems dating from before 1990 or so), the passwdfile holds the following user information for each user account:
- Username
- Salt combined with the current hash of the user's password (usually produced from a cryptographic hash function)
- Password expiration information
- User ID (UID)
- Default group ID (GID)
- Full name
- Home directory path
- Login shell
- The passwd file is readable by all users so that name service switch can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), but only the root user can write to it. This means that an attacker with unprivileged access to the system can obtain the hashed form of every user's password. Those values can be used to mount a brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed login attempts.
With a shadowed password scheme in use, the
/etc/passwd
file typically shows a character such as '*
', or 'x
' in the password field for each user instead of the hashed password, and/etc/shadow
usually contains the following user information:- User login name
- salt and hashed password OR a status exception value e.g.:
- "$id$salt$hashed", the printable form of a password hash as produced by crypt (C), where "$id" is the algorithm used. (On GNU/Linux, "
$1$
" stands for MD5, "$2a$
" is Blowfish, "$2y$
" is Blowfish (correct handling of 8-bit chars), "$5$
" is SHA-256 and "$6$
" is SHA-512, crypt(3) manpage, other Unix may have different values, like NetBSD. Key stretching is used to increase password cracking difficulty, using by default 1000 rounds of modified MD5,[4] 64 rounds of Blowfish, 5000 rounds of SHA-256 or SHA-512.[5]The number of rounds may be varied for Blowfish, or for SHA-256 and SHA-512 by using e.g. "$6$rounds=50000$".) - Empty string - No password, the account has no password. (Reported by passwd on Solaris with "NP") [6]
- "!" - the account is password Locked, user will be unable to log-in via password authentication but other methods (e.g. ssh key) may be still allowed)[7]
- "*LK*" or "*" - the account is Locked, user will be unable to log-in via password authentication but other methods (e.g. ssh key) may be still allowed) [7]
- "!!" - the password has never been set (RedHat)[8]
- "$id$salt$hashed", the printable form of a password hash as produced by crypt (C), where "$id" is the algorithm used. (On GNU/Linux, "
- Days since epoch of last password change
- Days until change allowed
- Days before change required
- Days warning for expiration
- Days before account inactive
- Days since Epoch when account expires
- Reserved
The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical to the order of the corresponding users in the password file.
- Password file
- Oracle中password file
- Oracle's password file
- 20151117 password file
- Oracle Password File
- /etc/shadow --shadowed password file
- Password File Authentication & Listener Configuration
- OFA & 登陆方法 & Password file
- ORA-01991 invalid password file
- oracle password file 命名规则
- useradd:cannot rewrite shadow password file
- useradd: cannot rewrite shadow password file
- ubuntu useradd: unable to lock password file
- EasyApn: Remove Password from PEM file
- oracle密码文件认证(password file authentication)
- Re-creating a Password Authentication File
- useradd失败:cannot open shadow password file
- 读书笔记20120213----Oracle password file, block change-tracking file
- Android 地理编码
- leetcode之Palindrome Partitioning II
- static private
- smali 语法学习历程
- 排列组合的高效算法
- Password file
- linux终端下的文本颜色设置
- Java垃圾回收机制
- 梅氏砝码问题
- 浅谈快速排序
- Jfinal 配置文件工具类
- 字符串反向输出(递归)
- 使用 Spring 3 来创建 RESTful Web Services
- 手把手教你学linux驱动开发:模块编程、虚拟字符设备编程、LED字符设备驱动