[20160420]shadow文件格式口令加密.txt

$ man 5 shadow

SHADOW(5)                File Formats and Conversions                SHADOW(5)

NAME

       shadow - encrypted password file

DESCRIPTION

       shadow contains the encrypted password information for user's accounts and optional the password aging        information. Included is:

       . login name

       . encrypted password        . days since Jan 1, 1970 that password was last changed        . days before password may be changed        . days after which password must be changed        . days before password is to expire that user is warned        . days after password expires that account is disabled        . days since Jan 1, 1970 that account is disabled        . a reserved field

# cat /etc/shadow |grep oracle

oracle:$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.:16911:0:99999:7:::

--主要关注加密字段.

$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--以$作为分割,

--第1个字段表示:

$1 = MD5 hashing algorithm.

$2 =Blowfish Algorithm is in use. $2a=eksblowfish Algorithm $5 =SHA-256 Algorithm $6 =SHA-512 Algorithm

--很明显这里使用MD5 hashing algorithm.

--第2个字段salt占8位:

ZcwH7AWX

--第3个字段就是口令的加密串=> password+slat的hash value.

0BlZZRahwsQ4hLIEUTBN5.

--我的测试口令是123456,测试看看:

$ openssl passwd -1 -salt ZcwH7AWX 123456

$1$ZcwH7AWX$0BlZZRahwsQ4hLIEUTBN5.

--正好对上!!

--实际上在安装的时候可以选择口令的加密算法.

# grep password /etc/pam.d/system-auth password    requisite     pam_cracklib.so try_first_pass retry=3 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok password    required      pam_deny.so

# authconfig --test|grep hashing

password hashing algorithm is md5

# authconfig --passalgo=sha512 --update

# grep sha512 /etc/pam.d/system-auth

system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok --已经修改为sha512