原文出自: https://www.ibm.com/developerworks/mydeveloperworks/blogs/58e72888-6340-46ac-b488-d31aa4058e9c/entry/the_linux_user_login_management_etc_passwd_and_etc_shadow_files19?lang=en
概要:
文章介绍了passwd和shadow文件以及他们的格式,
passwd:虽然名字看起来很像是password但是他并不包含password,正真的password在shadow里面,这个主要包括如下的一些用户信息
User-Name / Encrypted password entry /User Id (UID) /Group Id (GID) /Home directory /shell
shadow:包含了password和其他一些相关的时间信息
- Login name
- The corresponding Encrypted password
- Number of days since 1st Jan 1970, that password was last changed
- Number of days before password may be changed
- Number of days after which password has to be changed
- Number of days before password expiry warning starts popping up
- Number of days after password expires that account is disabled
- Number of days since 1st Jan 1970, that account is disabled
- Reserved field for further use.
Have you ever thought what happens behind the doors when a user login happens in Linux? Where is the login information for a user is kept in Linux and how the validation of user credential takes place? Well, if not, then I would suggest you to read on as in this article we will discuss how user login management and validation takes place in Linux.
The /etc/passwd file
Well, this is the file in Linux system that contains all the relevant information related to user login. If we peek inside this file, this is what it looks like on my Linux mint box:
So we see that this file contains lots of information. The first entry(in bold) corresponds to root user while the second last entry (in bold) and the last entry(in bold) contains information related to my login and a guest user respectively. Lets understand the type of information this file contains.
To start with, each line contains entry for a particular user. Now one would argue that the entries highlighted in bold are ok, but what about other entries? Does my system contain so many users? Well, the answer to this is yes but I never created so many users. These other entries are system generated for the programs that are used for day to day functioning of the Linux and similar entries can be found in almost all types of Linux distributions.
Now lets understand the information corresponding to a single user which is present in a single line. Lets take my login entry for example :
To start with, each line contains entry for a particular user. Now one would argue that the entries highlighted in bold are ok, but what about other entries? Does my system contain so many users? Well, the answer to this is yes but I never created so many users. These other entries are system generated for the programs that are used for day to day functioning of the Linux and similar entries can be found in almost all types of Linux distributions.
Now lets understand the information corresponding to a single user which is present in a single line. Lets take my login entry for example :
Here the information is divided by ':'
The individual fields represent :
User-Name
First up there is the login name or the user name of the user. This name is unique across the system as it identifies a particular user. Usually people try to have their first name as the their login name but this is not always possible as multiple people can have same first name. In this case there are various techniques that can be used to generate a unique user-name. One of the most popular one is by concatenating initials of your first name with your last name along with your year or birth. For example a user-name could be 'SParker84'.
Encrypted password entry
Next up we have the encrypted password entry. In almost all of the modern Linux systems, this entry contains 'x'. This means that the actual encrypted password entry is not present here. Usually it is present in the /etc/shadow file. (We will discuss more on this later). As you can see, each entry contains a password. As ever, the passwords are required so that there is no unauthorized access to anybody's account. Now, there are two designs to keep passwords secure. Either the plain passwords can be stored in a encrypted file or encrypted passwords can be stored in a readable file. Initially the second design was followed where-in the encrypted passwords were stored in the /etc/passwd file itself. Also, /etc/passwd file was kept readable to everyone as most of the system processes and software use this file to get the user information. This model worked fine for quite some time as the DES encryption used to encrypt the password was hard to break with the processing speed available at that time. But, gradually the processor speed of even the home computers started to increase and it came up to a point where it was easy enough to break this encryption using brute force attacks in real time. At this time alarm bells started ringing and soon the encrypted passwords were moved to a separate file /etc/shadow. This file was made readable only to root so that passwords are kept in a secure manner. The argument that /etc/passwd file could have been root protected was played down as most of the existing software uses this file and it was practically very difficult to bring this change without breaking the functionality of existing software. Also many Linux distributions use the MD5 algorithm technique to protect the passwords which makes the cracking of passwords (if broken into /etc/shadow) even more difficult.
User Id (UID)
The third field contains information related to user-ID. This can be understood as the user name in numeric form. As with user name, this is also unique across the system. If the UID of a particular user is zero, then that user is the root or the superuser. A superuser has full access to the system. This UID is used to determine access privileges to a user.
Group Id (GID)
As individual user can also be part of a group of users. Groups are formed to make things easier. For example, to provide certain access to a group of users rather than doing it for individual user. So for a particular group, there exists a group ID. Again a group ID is unique and identifies a single group of users. So, coming back to this entry, this entry contains the group ID of the group to which this user belong.
General electronic comprehensive operating system (GECOS)
The next entry is a GECOS entry. This entry may contain information like user real or full name, telephone number , other contact information etc. All this information is comma separated. Mostly only the complete user name (or application name, if entry is for a program) is present. For example :
The individual fields represent :
User-Name
First up there is the login name or the user name of the user. This name is unique across the system as it identifies a particular user. Usually people try to have their first name as the their login name but this is not always possible as multiple people can have same first name. In this case there are various techniques that can be used to generate a unique user-name. One of the most popular one is by concatenating initials of your first name with your last name along with your year or birth. For example a user-name could be 'SParker84'.
Encrypted password entry
Next up we have the encrypted password entry. In almost all of the modern Linux systems, this entry contains 'x'. This means that the actual encrypted password entry is not present here. Usually it is present in the /etc/shadow file. (We will discuss more on this later). As you can see, each entry contains a password. As ever, the passwords are required so that there is no unauthorized access to anybody's account. Now, there are two designs to keep passwords secure. Either the plain passwords can be stored in a encrypted file or encrypted passwords can be stored in a readable file. Initially the second design was followed where-in the encrypted passwords were stored in the /etc/passwd file itself. Also, /etc/passwd file was kept readable to everyone as most of the system processes and software use this file to get the user information. This model worked fine for quite some time as the DES encryption used to encrypt the password was hard to break with the processing speed available at that time. But, gradually the processor speed of even the home computers started to increase and it came up to a point where it was easy enough to break this encryption using brute force attacks in real time. At this time alarm bells started ringing and soon the encrypted passwords were moved to a separate file /etc/shadow. This file was made readable only to root so that passwords are kept in a secure manner. The argument that /etc/passwd file could have been root protected was played down as most of the existing software uses this file and it was practically very difficult to bring this change without breaking the functionality of existing software. Also many Linux distributions use the MD5 algorithm technique to protect the passwords which makes the cracking of passwords (if broken into /etc/shadow) even more difficult.
User Id (UID)
The third field contains information related to user-ID. This can be understood as the user name in numeric form. As with user name, this is also unique across the system. If the UID of a particular user is zero, then that user is the root or the superuser. A superuser has full access to the system. This UID is used to determine access privileges to a user.
Group Id (GID)
As individual user can also be part of a group of users. Groups are formed to make things easier. For example, to provide certain access to a group of users rather than doing it for individual user. So for a particular group, there exists a group ID. Again a group ID is unique and identifies a single group of users. So, coming back to this entry, this entry contains the group ID of the group to which this user belong.
General electronic comprehensive operating system (GECOS)
The next entry is a GECOS entry. This entry may contain information like user real or full name, telephone number , other contact information etc. All this information is comma separated. Mostly only the complete user name (or application name, if entry is for a program) is present. For example :
Also, note that not all the entries contain GECOS entry. Many of the entry contain just the user or application name and no commas. So whether a GECOS entry is produced or not depends on the program being used to create an entry. For example the useradd program creates a GECOS entry.
Home directory
This is default directory that user lands up just after login. Note that this could be any random directory but mostly it is kept as users home directory where user creates its files and manages everything in a customized environment. This is especially good when multiple users login in parallel (Linux being a multi user system) as it avoids conflicts by landing up each user in his/her respective home directory.
Shell
Just after login, a shell provides an environment to a user to do many tasks like run commands, play with environment variables etc. Since Linux comes with different type of shells, so this field provides information about the shell being used for this user. The most preferred and used shell is the BASH shell.
Home directory
This is default directory that user lands up just after login. Note that this could be any random directory but mostly it is kept as users home directory where user creates its files and manages everything in a customized environment. This is especially good when multiple users login in parallel (Linux being a multi user system) as it avoids conflicts by landing up each user in his/her respective home directory.
Shell
Just after login, a shell provides an environment to a user to do many tasks like run commands, play with environment variables etc. Since Linux comes with different type of shells, so this field provides information about the shell being used for this user. The most preferred and used shell is the BASH shell.
The /etc/shadow file
As discussed earlier, this file contains encrypted password entries for users in the system. Beside containing encrypted passwords, an entry in this file also contains ageing and expiration information of password. An entry in this file can be classified into following information:
An example of /etc/shadow file from my Linux mint box looks like :
- Login name
- The corresponding Encrypted password
- Number of days since 1st Jan 1970, that password was last changed
- Number of days before password may be changed
- Number of days after which password has to be changed
- Number of days before password expiry warning starts popping up
- Number of days after password expires that account is disabled
- Number of days since 1st Jan 1970, that account is disabled
- Reserved field for further use.
An example of /etc/shadow file from my Linux mint box looks like :
Al
So its clear that this file can only be accessed by root.
Finally, to conclude, whenever a user tries to login by providing a user name and password, then the user name is picked up as it is while the password is first encrypted and then matched again the user-name and encrypted password entries maintained by Linux in /etc/passwd and /etc/shadow files. In this way the validation of user authentication takes place on Linux.
Finally, to conclude, whenever a user tries to login by providing a user name and password, then the user name is picked up as it is while the password is first encrypted and then matched again the user-name and encrypted password entries maintained by Linux in /etc/passwd and /etc/shadow files. In this way the validation of user authentication takes place on Linux.
3252
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
