|
|
发表于 2004-8-8 19:09:14
|
显示全部楼层
个人觉得如果是单机,
似乎没必要。
附:Shadow 口令介绍
Shadow Passwords
Introduction
Every Linux distribution today installs shadow passwords as standard. In this article, we'll look at why this suite of programs has replaced the older, simpler set; how to use them; and, in the unlikely event that you are running a distribution so old you don't yet have shadow passwords, how to install the system.
Why Shadow Passwords?
Simply, the shadow password scheme addresses the major shortcoming of the original Unix password-handling scheme; that is, the way in which the password list was stored as a world-readable file.
The encoding mechanism used for Unix passwords was (and is) very secure, being a one-way algorithm i.e. easy to apply but impossible to reverse. However, the password file itself is vulnerable to a cracking technique known as the "dictionary attack", in which all the words from a large dictionary file are in turn encoded and compared with the encoded password (readable by any user, remember) in /etc/passwd. This dictionary file is usually based on an actual English language dictionary with the addition of commonly-used words, slang, and weak passwords (for example, "gandalf", "xyzzy", "qwerty", or even, God help us, "password"),. If the two match, then obviously our original, unnecoded word is the password.
This sounds simple, when you read about it but it takes a while to run the tens and hundreds of thousands of entries against a single password. This is, however, still not all that difficult to do with today's high-performance computing systems. Shadow passwords let us keep the advantages of the Unix password mechanism and thus backward compatibility with the huge base of Unix applications, while preventing this particular common form of attack.
An Overview
Let's take a look at the various components of the shadow password system. There are four files used by the shadow password system: /etc/passwd, /etc/shadow, /etc/group, and /etc/login.defs
The /etc/passwd file is almost the same standard comma-delimited file used since the Unix days, with a slight difference; the second field, which used to contain the password, now holds only an x. This indicates that the actual encrypted password is now stored elsewhere.
Note that the shadow password suite, like the older method, uses the the seventh, so-called GECOS, field of /etc/passwd as an extension mechanism for adding other fields of information.
The standard piece of information here is the user's full name. In addition, on systems with user disk quotas enabled, the flags for ulimit, umask, and niceness can be set here.
* ulimit controls the maximum size for files which the user can create.
* umask is the permissions mask for file creation, expressed as an octal number. For example, a umask of 077 would result in any files I create having permissions of 600 i.e. readable and writable by me, not accesible by other users.
* niceness is the priority the user's background jobs will run with. The priority range is -20 (the highest priority) to 19 (the lowest).
A more usual use is to store extra user information in a comma-separated list such as below:
full name,office/room number,office phone,home phone
This layout is used by the finger command to display these additional details about the user as part of its output.
The /etc/shadow file stores the encoded password, and other information that enhances the standard Unix password scheme to include support for password aging. This establishes time limits as to how long a user can maintain one password for an account before it has to be changed to a different one, for the sake of increasing security. /etc/shadow is readable and writable by root, and readable by group shadow; no other users have any access.
The /etc/group file is another old standard designating groups of users within Unix and Linux systems. Each line starts with a group name, a field for passwords, a unique group identifier, and a list of user accounts that belong to the group. Like the /etc/passwd file, the password field simple contains an "x" while the real group password is held in /etc/shadow.
The /etc/login.defs file, is the master control file for the shadow password suite. You need to edit this file to configure the various options for the shadow password system.
In addition to these files, there are a handful of programs that are used with the shadow password system, as shown in Table 1.
Table 1
|---------------|
|Program (man |
|page) |
|---------------|
|login(1) |
|---------------|
|passwd(1) |
|---------------|
|su(1) |
|---------------|
|sulogin(8) |
|---------------|
|chage(1) |
|---------------|
|pwconv(8) |
|---------------|
|pwunconv(8) |
|---------------|
|grpconv(8) |
|---------------|
|grpunconv(8) |
|---------------|
Working with the Shadow Password suite
Configuration
The master configuration file for shadow passwords is /etc/login.defs. Here, I'll take you through the whole file, examining each option and it's default value(s). FAIL_DELAY 3
Delay in seconds before being allowed another attempt after a login failure
DIALUPS_CHECK_ENAB yes
Enable additional passwords upon dialup lines specified in /etc/dialups.
FAILLOG_ENAB yes
Enable logging and display of /var/log/faillog login failure info.
LOG_UNKFAIL_ENAB no
Enable display of unknown usernames when login failures are recorded.
LOG_OK_LOGINS no
Enable logging (to /var/log/wtmp) of successful logins.
LASTLOG_ENAB yes
Enable logging and display of /var/log/lastlog login time info.
MAIL_CHECK_ENAB yes
Enable checking and display of mailbox status upon login. Disable if the shell startup files already check for mail ("mailx -e" or equivalent).
OBSCURE_CHECKS_ENAB yes
Enable additional checks upon password changes.
PORTTIME_CHECKS_ENAB yes
Enable checking of time restrictions specified in /etc/porttime.
QUOTAS_ENAB yes
Enable setting of ulimit, umask, and niceness from passwd gecos field.
SYSLOG_SU_ENAB yes SYSLOG_SG_ENAB yes Enable "syslog" logging of su activity - in addition to sulog file logging. SYSLOG_SG_ENAB does the same for newgrp and sg.
CONSOLE /etc/securetty #CONSOLE console:tty01:tty02:tty03:tty04
Either full pathname of a file containing device names or a ":" delimited list of device names. Root logins will be allowed only upon these devices.
SULOG_FILE /var/log/sulog
All su activity is logged to this file.
MOTD_FILE /etc/motd
":" delimited list of "message of the day" files to be displayed upon login.
ISSUE_FILE /etc/issue
A file holding a short message that will be displayed before each login prompt.
TTYTYPE_FILE /etc/ttytype
A file which declares terminal types for particular tty lines. A typical file might look like:
linux tty1 linux tty2 linux tty3 linux tty4 wyse30 ttyS4 vt100 ttyp0 vt100 ttyp1 vt100 ttyp2 vt100 ttyp3
FTMP_FILE /var/log/btmp
Login *failures* will be logged here in a utmp format.
NOLOGINS_FILE /etc/nologin
This file, if present, will prevent non-root logins. The contents of the file will be displayed when login is denied, so it's obviously a good idea to write an explanation in here.
SU_NAME su
The command name to display when running "su -".
MAIL_DIR /var/spool/mail #MAIL_FILE .mail
The directory (MAIL_DIR) or file (MAIL_FILE) where mail is stored. This is used for the "you have new mail" message on login. If both are defined, MAIL_DIR takes precedence.
HUSHLOGIN_FILE /etc/hushlogins HUSHLOGIN_FILE .hushlogin
If this file exists, all the normal messages displayed during the login sequence are suppressed. A full pathname says that "hushed" mode should be used if the user's name or shell are in that file; a bare filename indicates that hushed mode will be used if a file of that name exists in the user's home directory.
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin ENV_PATH PATH=/usr/local/bin:/bin:/usr/bin
The default PATH settings, for superuser and normal users respectively.
TTYGROUP tty TTYPERM 0620
Terminal permissions: respectively, the group which owns device tty, and the permissions on the device file.
If the "write" program on your system is "setgid" to a special group which owns the terminals, then define TTYGROUP should be set to the group number and TTYPERM to 0620. Otherwise, leave TTYGROUP commented out and set TTYPERM to either 622 or 600.
ERASECHAR 0177 KILLCHAR 025 UMASK 022 #ULIMIT 2097152
Login configuration initializations:
ERASECHAR is the default "ERASE" character.
Terminal ERASE character ('\010' = backspace).
KILLCHAR is the default "KILL" character.
Terminal KILL character ('\025' = CTRL/U).
UMASK is the default "mask" that will be applied to the permissions on all new files created during this login. e.g. a umask of 077 means that an ordinary file will have default permissions of 600.
ULIMIT Default "ulimit" value.
ULIMIT is the maximum size for a file under this login.
Note: Prefix these values with "0" to get octal, "0x" to get hexadecimal.
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
The default values for password aging controls. The use of each field is, respectively, the maximum number of days a password may be used, the minimum number of days allowed between password changes, the minimum acceptable password length, and the number of days warning given before a password expires.
SU_WHEEL_ONLY no
If "yes", the user must be listed as a member of the first gid 0 group in /etc/group (called "root" on most Linux systems) to be able to "su" to uid 0 accounts. If the group doesn't exist or is empty, no one will be able to "su" to uid 0.
#CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
The path to the dictionaries if the suite has been compiled with cracklib support.
UID_MIN 1000 UID_MAX 60000
Min/max values for automatic uid selection in useradd.
GID_MIN 100 GID_MAX 60000
Min/max values for automatic gid selection in groupadd.
LOGIN_RETRIES 5
Max number of login retries if password is bad
LOGIN_TIMEOUT 60
Max time in seconds before a login session expires -- in other words, the amount of time allowed between entry of username and entry of password.
PASS_CHANGE_TRIES 5
Maximum number of attempts to change password if it is at first rejected.
PASS_ALWAYS_WARN yes
Warn about weak passwords even if you are root. Note that this will not stop root giving themselves a bad password; it just lets them know that the password is weak.
PASS_MAX_LEN 8
Number of significant characters in the password for crypt().
CHFN_AUTH yes
Require password before chfn/chsh can make any changes.
CHFN_RESTRICT frwh
Which fields may be changed by regular users using chfn. The letters are codes for full name, room number, work phone, home phone respectively. If not defined, no changes are allowed.
LOGIN_STRING "%s's Password: "
Password prompt (%s will be replaced by user name).
MD5_CRYPT_ENAB yes
Only works if compiled with MD5_CRYPT defined: If set to "yes", new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings. Set to "no" if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default is "no".
#CONSOLE_GROUPS floppy:audio:cdrom
List of groups to add to the user's supplementary group set when logging in on the console (as determined by the CONSOLE setting). Default is none. Use with caution - it is possible for users to gain permanent access to these groups, even when not logged in on the console. How to do it is left as an exercise for the reader...
DEFAULT_HOME yes
Should login be allowed if we can't cd to the home directory? Default in no.
ENVIRON_FILE /etc/environment
If this file exists and is readable, login environment will be read from it. Every line should be in the form name=value.
USERDEL_CMD /usr/sbin/userdel_local
If defined, this command is run when removing a user. It should remove any at/cron/print jobs etc. owned by the user to be removed (passed as the first argument).
NO_PASSWORD_CONSOLE tty1:tty2:tty3:tty4:tty5:tty6
If defined, either full pathname of a file containing device names or a ":" delimited list of device names. No password is required to log in on these devices.
Rules for good passwords
* Do not use the account name
* Do not use any word found in a dictionary
* Do not use names of people or things
* Do not use publicly-available information about yourself -- phone number, for example
* Do not use keyboard sequences -- qwerty!
* Do not use short passwords
* Do use longer passwords -- at least six characters is a good rule
* Do use a mixture of numbers and letters
* Do use a mixture of upper and lower case letters
Note that the maximum practical length for a password is eight characters, but nothing stops you from using more characters. This leads to a side-effect -- the first eight characters are your "real" password. So, qwertyuiZ13xi is NOT a good password, because it's just quertyui, an easily-guessable keyboard sequence.
Password Administration
User accounts are locked and unlocked using the passwd command. The -l flag locks, the -u flag unlocks. e.g.
$ passwd -l joe
will lock the joe account so that user is no longer able to log in.
The passwd program does some checking for poor passwords when a user attempts to change their password. Poor passwords will be rejected. It doesn't use a dictionary, but a set of simple algorithms that can detect common flaws in passwords. It can't be a palindrome, more than half the characters must be different, there should be a mix of letters and numbers, and/or letters should be mixed-case, and it musn't be too short -- for example, a password consisting only of lower-case letters must be 8 characters, if there is a mix of case, it can be 7 or 8 characters, etc.
The password aging information is maintained by root using the the -x, -n, -w, and -i options to the passwd command.
* The -x option sets the maximum time in days that a password will be valid. After this time, the user is prompted on logging in to change their password. If they somehow evade this, they will not be able to log in again!
* The -n option sets the minimum time in days before a password may be changed.
* The -w option sets the length in days of the warning period a user is given before password expiration. This many days before the password is due to expire, the user will receive on loggin in a warning mesage telling them of the days left before they must change their password.
* The -i option disables an account after the password has been expired for a given number of days.
Group passwords are administered using the -g flag with the passwd command. To change a group password, use -g option alone. To do this for a given group, the user must be either root or the group administrator for that group. To remove a group password, use the -r option with the -g option. To restrict a group, use -R with -g.
Installing Shadow Passwords
It is unlikely that you don't have shadow passwords on your Linux machine. However, just in case you are still runing SLS 1.03 or some other old thing with the traditional password system, the source package can be obtained from one of the sites listed in Resources. It now uses GNU autoconf and is configured just like most GNU packages: run ./configure, then make, then become root and run make install -- but back up the old system first, just in case!
Summary
Shadow passwords are a great improvement on the older Unix mechanism, but they are still vulnerable unless all users pick a good password. The importance of a good password cannot be overestimated. Working with shadow passwords is straightforward, since they build directly upon the older system.
Resources
Not a great deal of information on the Net. There is a Shadow password HOWTO, but this is out of date. The latest source can be obtained from the following locations: ftp://piast.t19.ds.pwr.wroc.pl/pub/linux/shadow/ ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/ http://www.itnet.pl/amelektr/linux/shadow/ |
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡