Thursday, July 23, 2009

linux下密码的放置(shadow suite)

了解/etc/passwd与/etc/shadow的来龙去脉


On a Linux system without the Shadow Suite installed, user information including
passwords is stored in the /etc/passwd file. The password is stored in an
encrypted format. If you ask a cryptography expert, however, he or she will tell you
that the password is actually in an encoded rather than encrypted format because
when using crypt(3), the text is set to null and the password is the key. Therefore,
from here on, I will use the term encoded in this document.

在没有使用shadow suite的情况下, 用户的信息包括密码是存在在/etc/passwd文件的.
 * 所提的shadow suite是否为: sys-apps/shadow
encoded与encrypted两个名词的区别


When a user picks or is assigned a password, it is encoded with a randomly
generated value called the salt. This means that any particular password could be
stored in 4096 different ways. The salt value is then stored with the encoded
password.

使用crypt(3)的特点, 对于上面说的4096种方法, 见man 3 crypt中提到:
       salt is a two-character string chosen from the set [a–zA–Z0–9./].  This string is used to perturb
       the algorithm in one of 4096 different ways.
* 关于salt与encoded是同时存在在/etc/passwd文件中的, 见下面的passwd格式


When a user logs in and supplies a password, the salt is first retrieved from the
stored encoded password. Then the supplied password is encoded with the salt value,
and then compared with the encoded password. If there is a match, then the user is
authenticated.

用户认证的最基本原则

The /etc/passwd file also contains information like user ID's and group ID's that
are used by many system programs. Therefore, the /etc/passwd file must remain
world readable. If you were to change the /etc/passwd file so that nobody can
read it, the first thing that you would notice is that the ls −l command now
displays user ID's instead of names!

/etc/passwd除了密码的认证外, 还被广泛使用.

但是又由于种种安全问题, 如果用户把encoded的hash放在/etc/passwd这种world readable的文件中, 会有问题

The Shadow Suite solves the problem by relocating the passwords to another file
(usually /etc/shadow). The /etc/shadow file is set so that it cannot be read by
just anyone. Only root will be able to read and write to the /etc/shadow file.
Some programs (like xlock) don't need to be able to change passwords, they only
need to be able to verify them. These programs can either be run suid root or you can
set up a group shadow that is allowed read only access to the /etc/shadow file.
Then the program can be run sgid shadow.

于是出现了/etc/shadow文件, 此文件的权限被严格要求

Additionally, the Shadow Suite adds lots of other nice features:
⋅ A configuration file to set login defaults (/etc/login.defs)
⋅ Utilities for adding, modifying, and deleting user accounts and groups
⋅ Password aging and expiration
⋅ Account expiration and locking
⋅ Shadowed group passwords (optional)
⋅ Double length passwords (16 character passwords) NOT RECOMMENDED]
⋅ Better control over user's password selection
⋅ Dial−up passwords
⋅ Secondary authentication programs [NOT RECOMMENDED]

shadow suite引入新的机制, 上面为它的机制
* shadow用于动词时, 为"遮蔽, 或者 使...遮蔽", 如shadowed group passwords

Installing the Shadow Suite contributes toward a more secure system, but there are many other things that can
also be done to improve the security of a Linux system, and there will eventually be a series of Linux
Security HOWTO's that will discuss other security measures and related issues.

引入shadow suite有其它的事需要做


A non−shadowed /etc/passwd file has the following format:
username:passwd:UID:GID:full_name:directory:shell
实例:
username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh
* Np为salt的值

Once the shadow suite is installed, the /etc/passwd file would instead contain:
username:x:503:100:Full Name:/home/username:/bin/sh
The x in the second field in this case is now just a place holder. The format of the /etc/passwd file really
didn't change, it just no longer contains the encoded password. This means that any program that reads the
/etc/passwd file but does not actually need to verify passwords will still operate correctly.
The passwords are now relocated to the shadow file (usually /etc/shadow file).

The /etc/shadow file contains the following information:
username:passwd:last:may:must:warn:expire:disable:reserved
* field的具体意思见man 5 shadow

回归问题基本: 程序认证时怎么使用/etc/shadow?

/etc/shadow文件的权限:
jessinio@niolaptop /tmp $ ls -l /etc/shadow
-rw------- 1 root root 909 2009-06-26 16:05 /etc/shadow

从各个需要使用/etc/shadow的程序都是通过种种方法得root权限才使用shadow文件的

如下内容是man 3 getspnam中的一段话:

DESCRIPTION
       Long ago it was considered safe to have encrypted passwords openly visible in the password  file.
       When  computers got faster and people got more security-conscious, this was no longer acceptable.
       Julianne Frances Haugh implemented the shadow password suite that keeps the  encrypted  passwords
       in  the  shadow  password  database  (e.g.,  the local shadow password file /etc/shadow, NIS, and
       LDAP), readable only by root.

只能为root才可以处理这种事情

参考文档:
* http://www.tldp.org/HOWTO/Shadow-Password-HOWTO.html


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.