![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-05-15
passwd
Options
-u, --unlock # unlock the password of the named account
-l, --lock # lock the password of the named account
-i, --inactive INACTIVE # set password inactive after expiration to INACTIVE
-e, --expire # force expire the password for the named account
-S, --status
--stdin # passwd should read the new password (now raw format) from stdin, which can be a pipe.
LoginName L | NP | P last_password_change mini_age max_ag warning_period inactivity_period
(L) user account is locked
(NP) has no password
(P) has a usable password
i.e.
passwd -S
root P 05/15/2015 0 99999 7 -1
Batch change password
Usage:
echo "Username:Password" | chpasswd
# 會讀 /etc/login.defs 知用什麼方式加密 password
* 勿與 chgpasswd 攪亂
vipw, vigr
-s # will edit the shadow versions of those files
shadow db format
comma-separated fields:
1. Username
2. Encrypted Password
3. Last password change (counted since January 1, 1970 (epoch date))
4. Minimum password age
5. Maximum password age (新PW的有效天數, Default: 99999)
6. Warning period
7. Inactivity period
8. Account Expiration date (epoch date)
9. Unused
Password, 13 character encrypted.
A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and
a "*'' entry (eg. :*:) indicates the account has been disabled.
linux shadow exclamation mark
'!' and '!!' mean essentially the same thing, but different tools use one or the other, passwd -l for instance, uses a pair of exclamation points. usermod -L on the other hand only uses one.
If it's an invalid hash (which all of '*', '!', and '!!' ) it effectively locks the account and prevents logins to that account.
/etc/shadow
daemon:*:15499:0:99999:7::: ... libvirt-qemu:!:15538:0:99999:7:::
Often this is furthered by setting the account's shell to something like /bin/false or /sbin/nologin in the /etc/passwd file
/etc/passwd
... nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin syslog:x:101:103::/home/syslog:/bin/false ...
nologin - politely refuse a login (displays a message that an account is not available and exits non-zero)
false - Exit with a status code indicating failure ( $?=1 )
password format:
$id$salt$encrypted
ID | Method --------------------------------------------------------- 1 | MD5 2a | Blowfish (not in mainline glibc; added in some | Linux distributions) 5 | SHA-256 (since glibc 2.7) 6 | SHA-512 (since glibc 2.7)
舊 Format: CRYPT(3)
13 character encrypted [a-zA-Z0-9./]
13 character[a-zA-Z0-9./] DES(Data Encryption Standard ) algorithm encrypted
salt: the first two characters represent the salt itself (4096 different ways.)
key: lowest 7 bits of each of the first eight characters of the key
(the key space consists of 2**56 equal 7.2e16 possible values.)
# radom salt
openssl passwd -crypt myPassword
openssl passwd -crypt -salt XR SuprScrt
pwck
verifies the integrity of the users and authentication information.
verify that each entry has:
‧ the correct number of fields
‧ a unique and valid user name
‧ a valid user and group identifier
‧ a valid primary group
‧ a valid home directory
‧ a valid login shell
‧ every passwd entry has a matching shadow entry, and every shadow entry has a matching passwd entry
‧ passwords are specified in the shadowed file
‧ shadow entries have the correct number of fields
‧ shadow entries are unique in shadow
‧ the last password changes are not in the future
Fix
If the entry has the wrong number of fields, the user will be prompted to delete the entire line
An entry with a duplicated user name is prompted for deletion
All other errors are warning and the user is encouraged to run the usermod
-r # Execute the pwck command in read-only mode.
-s # Sort entries in /etc/passwd and /etc/shadow by UID.
usermod
-a -G
-M The user’s home directory will not be created, even if the system wide settings from /etc/login.defs is to create home dirs.
Trobleshoot
passwd: Module is unknown
ldd `which passwd`
.................... /usr/lib/libao.so libdl.so.2 => /lib/libdl.so.2 libpam_misc.so.0 ....................
ldconfig
ldconfig: /usr/lib/libao.so is not an ELF file - it has the wrong magic bytes at the start.
rpm -qR passwd
cracklib-2.8.9-1.3.i386.rpm guile-1.6.4-14.i386.rpm cracklib-dicts-2.8.9-1.3.i386.rpm
lock file
When you create or modify a user, some lock files will get created to prevent concurrent modification of these system files.
These files should get automatically removed once the command 'useradd' or 'usermod' finishes.
- /etc/passwd.lock
- /etc/shadow.lock
- /etc/group.lock
- /etc/gshadow.lock
Reset password
mount /root/of/another/disk /mnt/tmp
chroot /mnt/tmp
passwd
passwd: Can not identify you!
[Fix]
setenforce 0
相關
