或透過網站: linux Documentation Project Web Server,網頁: Shadow-Password-HOWTO 或與我聯絡: . 亦可透過新聞群組張貼: comp.os.linux.answers
這些文件現在已經包於 Shadow-YYDDMM 套件中。
1.3 回覆
請將任何評語、修改或建議寄至: Michael H. Jackson 我會盡快回覆並更正該文件。如果你發現任何問題,請直接 email 給我,我會將此最新技術張貼於新聞群組。
2、為何shadow你的passwd檔?
大部分目前 linux 發行版本預設值並未包含Shadow Suite 安裝。這些版本包括 Slackware 2.3, Slackware 3.0 和其他受歡迎的發行版本。主要原因之一是在原始Shadow Suite版權聲明中並未很清楚的描述該軟體是否需使用者付費。 Linux 使用 GNU 版權通常允續使用者可免費且任意使用相關套件。
設定檔於設定為簽入時預設(/etc/login.defs)
新增、修改和刪除使用者帳號群組之工具程式
密碼壽命計算及到期日
帳號到期日跟鎖死
隱藏群組密碼 (可選擇的)
兩倍長度密碼 (16 字元密碼) [不建議使用]
針對使用者密碼選擇有較好的控制
可撥接密碼
備用有效權限程式 [不建議使用]
安裝 Shadow Suite 貢獻為有更安全系統,但是還有其他方法可以改善 linux 系統的安全,且最終將有一系列的 Linux 安全 HOWTO's 將討論其他安全基准和相關文件版本.
針對目前其他 linux 安全文件資訊,請參照網址: Linux Security home page.
2.1 為何您不要 shadow 你的 passwd 檔
有一些狀況跟設定運用在安裝 Shadow Suite 將 不是 好主意: There are a few circumstances and configurations in which installing the Shadow Suite would NOT be a good idea:
主機沒有包含使用者帳號。
主機是在 LAN 上跑且使用網路資訊服務(Network Information Services, NIS)得到或供應使用者名稱和密給網路上的其他機器使用(事實上這還是可以執行,但是實際上並不能增加任何安全)。
機器是使用終端主機來驗證使用者經由 NFS(Network File System), NIS 或某些其他方法。
機器跑其他軟體驗證使用者且沒有任何 shadow 版本或原始碼可獲得。
full_name
使用者全名 - 事實上這個欄位稱作 GECOS (General Electric Comprehensive Operating System) 欄位且可以儲存全名外的資訊。Shadow commands and manual pages refer to this field as the comment field.
"crypt 是密碼加密方程式。 It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search.
[The] key 是使用者輸入的密碼。 [編碼字串全是 NULLs]
[The] salt 是從 [a-zA-Z0-9./] 集合中選出的兩個位元字串。該字串是用於擾亂在 4096 種不同方法之一個演算法。
"Applied Cryptography: Protocols, Algorithms, and Source Code in C"
by Bruce Schneier
ISBN: 0-471-59756-2
3、取得 Shadow Suite
3.1 Shadow Suite for linux 的歷史(暫不翻譯)
3.2 History of the Shadow Suite for linux
DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS
The original Shadow Suite was written by John F. Haugh II.
There are several versions that have been used on linux systems:
shadow-3.3.1 is the original.
shadow-3.3.1-2 is linux specific patch made by Florian La Roche and contains some further enhancements.
shadow-mk was specifically packaged for linux.
The shadow-mk package contains the shadow-3.3.1 package distributed by John F. Haugh II with the shadow-3.3.1-2 patch installed, a few fixes made by Mohan Kokal that make installation a lot easier, a patch by Joseph R.M. Zbiciak for login1.c (login.secure) that eliminates the -f, -h security holes in /bin/login, and some other miscellaneous patches.
The shadow.mk package was the previously recommended package, but should be replaced due to a security problem with the login program.
There are security problems with Shadow versions 3.3.1, 3.3.1-2, and shadow-mk involving the login program. This login bug involves not checking the length of a login name. This causes the buffer to overflow causing crashes or worse. It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain root access. I won't discuss exactly how this is possible because there are a lot of linux systems that are affected, but systems with these Shadow Suites installed, and most pre-ELF distributions without the Shadow Suite are vulnerable!
For more information on this and other linux security issues, see the Linux Security home page (Shared Libraries and login Program Vulnerability)
如果你安裝 shadow suite,然後執行 X Windows System 和 lock 螢幕沒以更新你的 xlock 檔, 你將必須使用 CNTL-ALT-Fx 去切換另一個 tty,簽入(login)和殺掉(kill) xlock process (或使用 CNTL-ALT-BS 殺掉 X server)。很幸運的這也很容易可以更新你的 xlock 程式。
fred的帳號被建立羅,但是 fred 仍然不能簽入直到我們不再鎖住(unlock)這個帳號。透過更改密碼完成 unlock 帳號,方法如下:
passwd fred
Changing password for fred□Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New Password: *******
Re-enter new password: *******
現在 /etc/shadow 檔將包含:
fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0
#!/bin/bash
#
# /sbin/newuser - A script to add users to the system using the Shadow
# Suite's useradd and passwd commands.
#
# Written my Mike Jackson as an example for the linux
# Shadow Password Howto. Permission to use and modify is expressly granted.
#
# This could be modified to show the defaults and allow modification similar
# to the Slackware Adduser program. It could also be modified to disallow
# stupid entries. (i.e. better error checking).
#
##
# Defaults for the useradd command
##
GROUP=100 # Default Group
HOME=/home # Home directory location (/home/username)
SKEL=/etc/skel # Skeleton Directory
INACTIVE=0 # Days after password expires to disable account (0=never)
EXPIRE=60 # Days that a passwords lasts
SHELL=/bin/bash # Default Shell (full path)
##
# Defaults for the passwd command
##
PASSMIN=0 # Days between password changes
PASSWARN=14 # Days before password expires that a warning is given
##
# Ensure that root is running the script.
##
WHOAMI=`/usr/bin/whoami`
if [ $WHOAMI != "root" ]; then
echo "You must be root to add news users!"
exit 1
fi
##
# Ask for username and fullname.
##
echo ""
echo -n "Username: "
read USERNAME
echo -n "Full name: "
read FULLNAME
#
echo "Adding user: $USERNAME."
#
# Note that the "" around $FULLNAME is required because this field is
# almost always going to contain at least on space, and without the "'s
# the useradd command would think that you we moving on to the next
# parameter when it reached the SPACE character.
#
/usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE
-f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME
##
# Set password defaults
##
/bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1
##
# Let the passwd command actually ask for password (twice)
##
/bin/passwd $USERNAME
##
# Show what was done.
##
echo ""
echo "Entry from /etc/passwd:"
echo -n " "
grep "$USERNAME:" /etc/passwd
echo "Entry from /etc/shadow:"
echo -n " "
grep "$USERNAME:" /etc/shadow
echo "Summary output of the passwd command:"
echo -n " "
passwd -S $USERNAME
echo ""
It contains flags that can be turned on or off that determine the amount of logging that takes place.
It contains pointers to other configuration files.
It contains defaults assignments for things like password aging.
跟去上述你可以發現這是一個重要檔,且你應該確認目前設定及你將對你系統的設定內容。
Despite the fact that there is not currently a manual page for gpasswd, typing gpasswd without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts.
struct spwd
{
char *sp_namp; /* login name */
char *sp_pwdp; /* encrypted password */
sptime sp_lstchg; /* date of last change */
sptime sp_min; /* minimum number of days between changes */
sptime sp_max; /* maximum number of days between changes */
sptime sp_warn; /* number of days of warning before password
expires */
sptime sp_inact; /* number of days after password expires
until the account becomes unusable. */
sptime sp_expire; /* days since 1/1/70 until account expires
*/
unsigned long sp_flag; /* reserved for future use */
};
/*
* login - Check the user name and password against the system
* password database, and login the user if OK.
*
* returns:
* UPAP_AUTHNAK: Login failed.
* UPAP_AUTHACK: Login succeeded.
* In either case, msg points to an appropriate message.
*/
static int
login(user, passwd, msg, msglen)
char *user;
char *passwd;
char **msg;
int *msglen;
{
struct passwd *pw;
char *epasswd;
char *tty;
if ((pw = getpwnam(user)) == NULL) {
return (UPAP_AUTHNAK);
}
/*
* XXX If no passwd, let them login without one.
*/
if (pw->pw_passwd == '