/etc/shadow /usr/bin/passwd 详解（1）

最新推荐文章于 2024-05-27 14:52:52 发布

beebeeyoung

最新推荐文章于 2024-05-27 14:52:52 发布

阅读量2.1k

点赞数

文章标签： linux /etc/shadow 口令计算过程

本文链接：https://blog.csdn.net/beebeeyoung/article/details/123013525

版权

格式详解(https://linuxize.com/post/etc-shadow-file/)

mark:$6$.n.:17736:0:99999:7:::
[--] [----] [---] - [---] ----
|      |      |   |   |   |||+-----------> 9. Unused
|      |      |   |   |   ||+------------> 8. Expiration date
|      |      |   |   |   |+-------------> 7. Inactivity period
|      |      |   |   |   +--------------> 6. Warning period
|      |      |   |   +------------------> 5. Maximum password age
|      |      |   +----------------------> 4. Minimum password age
|      |      +--------------------------> 3. Last password change
|      +---------------------------------> 2. Encrypted Password
+----------------------------------------> 1. Username

Username. The string you type when you log into the system. The user account that exist on the system.
Encrypted Password. The password is using the $type$salt$hashed format. $type is the method cryptographic hash algorithm and can have the following values:
- $1$ – MD5
- $2a$ – Blowfish
- $2y$ – Eksblowfish
- $5$ – SHA-256
- $6$ – SHA-512
If the password field contains an asterisk (*) or exclamation point (!), the user will not be able to login to the system using password authentication. Other login methods like key-based authentication or switching to the user are still allowed.

In older Linux systems, the user’s encrypted password was stored in the /etc/passwd file.
Last password change. This is the date when the password was last changed. The number of days is counted since January 1, 1970 (epoch date).
Minimum password age. The number of days that must pass before the user password can be changed. Typically it is set to zero, which means that there is no minimum password age.
Maximum password age. The number of days after the user password must be changed. By default, this number is set to 99999.
Warning period. The number of days before the password expires during which the user is warned that the password must be changed.
Inactivity period. The number of days after the user password expires before the user account is disabled. Typically this field is empty.
Expiration date. The date when the account was disabled. It is represented as an epoch date.
Unused. This field is ignored. It is reserved for future use.

源码查找

通过passwd命令探查在centos7下口令杂凑的计算过程

查看命令位置

命令	输出
which passwd	/usr/bin/passwd

查看命令的安装包信息

命令

输出

yum provides passwd

passwd-0.79-6.el7.x86_64 : An utility for setting or changing passwords using PAM
Repo : base

passwd-0.79-4.el7.x86_64 : An utility for setting or changing passwords using PAM
Repo : @anaconda

下载命令源码

命令	备注
wget https://vault.centos.org/7.5.1804/os/Source/SPackages/passwd-0.79-4.el7.src.rpm ./	http下载
rpm2cpio *.src.rpm\|cpio -iv	转换成tar包后解压

浏览passwd源码，passwd依赖于PAM模块(The Linux-PAM Application Developers' Guide).主要调用过程 pam_start -> pam_chauthtok -> pam_end。其中pam_chauthtok，执行修改密码操作。浏览官方源码包 Index of /7.5.1804/os/Source/SPackages确定PAM版本。

命令	备注
wget https://vault.centos.org/7.5.1804/os/Source/SPackages/pam-1.1.8-22.el7.src.rpm	http下载pam源码
rpm2cpio *.src.rpm\|cpio -iv	转换成tar包后解压

解压浏览源码，pam_start 先是加载了认证模块的配置文件 /etc/pam.d/passwd 根据配置文件加载多个动态库相同符号名的符号.查看配置文件，涉及多个动态库加载。

命令

输出

cat /etc/pam.d/passwd

#%PAM-1.0
        auth include system-auth
        account include system-auth
        password substack system-auth
        -password optional pam_gnome_keyring.so use_authtok
        password substack postlogin

cat /etc/pam.d/system-auth

#%PAM-1.0
        # This file is auto-generated.
        # User changes will be destroyed the next time authconfig is run.
        auth required pam_env.so
        auth sufficient pam_fprintd.so
        auth sufficient pam_unix.so nullok try_first_pass
        auth requisite pam_succeed_if.so uid >= 1000 quiet_success
        auth required pam_deny.so

        account required pam_unix.so
        account sufficient pam_localuser.so
        account sufficient pam_succeed_if.so uid < 1000 quiet
        account required pam_permit.so

        password requisite pam_pwquality.so try_first_pass local_users_only retry=3         authtok_type=
        password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
        password required pam_deny.so

        session optional pam_keyinit.so revoke
        session required pam_limits.so
        -session optional pam_systemd.so
        session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
        session required pam_unix.so

继续跟踪源码 pam_start -> _pam_init_handlers -> _pam_parse_conf_file ->_pam_add_handler ->_pam_load_module,确定符号名"pam_sm_chauthtok"，_pam_dlsym，其中加载生效的动态是pam_pwquality.so。继续跟踪，pam_chauthtok -> _pam_dispatch -> _pam_dispatch_aux -> h->func, "pam_sm_chauthtok" -> create_password_hash -> crypt, (libcrypt.so).

其中crypt加密函数是libcrypt.so的符号。属于glibc一部分。

继续下载glibc源码 Index of /gnu/glibc