Complete manual of /etc/shadow file in Linux
Shadow files and passwd files are generally used to perform the authentication process on Linux. Shadow files are text-based files used to store user data on a system. The most important thing is the linux vi command, where the password is saved in encrypted or hashed format.
Storing passwords in the /etc/passwd file can easily make the system insecure. Shadow files have file permissions set to 640 or 400.
What will we cover?
In this article, we will explain Shadow files in Linux.
Why do we need shadow files?
The passwd file in Linux is readable by everyone and for this purpose the encrypted passwords are transferred to different files called shadow files. It can only be read by root. Shadow files are also located in /etc/shadow in the /etc folder.
Very similar to the passwd file, the first array in the shadow file contains account names and uses commas to separate different primary keys. Having a separate file containing encrypted passwords also helps in adding new parameters to the account. It is reported that this helps control accounts and control password aging.
Shadow files remain read-protected to protect encrypted passwords. This is an important security measure, as anyone with read access to the file can attempt to crack the encryption password.
Security Aspects of Shadow Files
Shadow file is a good tool to reset the root password of Linux system. We can find the root user's account entry and manipulate some settings to recover the root password. However, the process of recovering passwords from shadow files is currently off topic.
As mentioned before, shadow files can only be read by the root directory. If a malicious account holder attempts to hack into other system accounts linux etc directory permissions, he will just bang his head against a tree. Assuming someone obtains the password in some form, the time it takes to crack it depends on the encryption algorithm used. Still, it's not easy, as cracking encryption passwords can take anywhere from minutes to years.
Sentence patterns for shadow files
The sentence pattern of shadow file is as follows:
login:encyrptedpassword:lastchangedate:min_age:max_age:warning:inactivity:expiration_date:reserved
The array in the upper row is expressed in days. lastchange and expiration are date arrays. The time in such an array is taken from the start date of Unix time linux etc directory permissions, which is January 1, 1970.
Description of primary keys in shadow files
There are nine arrays in this file, separated by quotes ':'
Let me explain bit array here:
Login: Every line in the Shadow file starts with the username. The username links the entry in the Shadow file to the entry in /etc/passwd.
cryptopassword:它是加密密码的占位符。所以即便它与真实的密码没有任何相像之处。假如有*或!置于这儿,表示该帐户没有密码。
Lastchange日期–它基本上是一个以Unix时间开始的天数表示的日期。这是给出先前更改密码的日期的时间。假如该值为0,则表示用户上次登陆时必须修改密码。
minage–此数组表示只有当日期值为minage+lastage时才会修改密码。假如该数组为空,则表示密码可以随时修改。
maxage–该数组表示当日期值为maxage+lastage时必须修改密码。它实际上是密码过期的日期。对于空密码,过期日期毫无意义linux教程,因而不须要maxage、warning和inactivity数组。
warning–当日期变为lastchange+maxage-warning或密码警告期已开始时,将警告用户修改密码。假如该值为0或空白(空),则表示没有警告期。
不活动–当密码过期时,用户依然可以修改其密码,直至不活动天数为止。倘若未填写此数组,则没有不活动期。
到期日期–这是用户账户到期的日期。自即日起,该帐户将难以登陆。倘若此数组为空,则该账户永远不会过期。另外,切勿在此处使用“0”值。
特殊标志:这个地方平常不使用,已留作将来使用。
如今我们通过一个反例来阐述我们对上述数组的理解。以影子文件中的以下示例条目为例:
linux-console:$6$kKRCC8ip8nKtFjjdZJIj:12825:14:45:10:30:13096
让我们逐渐分解每位数组:
1.linux-console是用户名。
2.下一个数组是用户的加密密码。这是一个很长的密码。但是,为了简约起见,我们稍为截断了它。
3.用户已更改密码12825天或35年1月11天,即自Unix纪元时间(即1970年1月1日)起的2005年2月11日。
4.用户修改密码的最短期限为14天。要使密码可以随时修改,请将此数组设置为0。
5.每45天须要重置一次密码。
6.重置密码的警告将在修改日期前10天出现。
7.假如密码过期而且30天内没有执行任何登陆操作,用户账户将被禁用。
8.自Unix纪元时间起13096天或2005年11月9日以后,该账户将过期。
推论
影子文件是储存您的账户信息的特别安全的地方。passwd文件中的强用户密码存在安全问题。使Shadow文件可由root读取只能清除恶意用户和功击者借助密码的机会。
以上是Linux 中的影子文件:保障系统安全的关键的详细内容。更多信息请关注PHP中文网其他相关文章!