词条 | Passwd |
释义 |
/etc/passwd as a source}}{{lowercase|title=passwd}}{{Refimprove|date=February 2008}}passwd is a tool on most Unix and Unix-like operating systems used to change a user's password. The password entered by the user is run through a key derivation function to create a hashed version of the new password, which is saved. Only the hashed version is stored; the entered password is not saved for security reasons. When the user logs on, the password entered by the user during the log on process is run through the same key derivation function and the resulting hashed version is compared with the saved version. If the hashes are identical, the entered password is considered to be correct, and the user is authenticated. In theory, it is possible for two different passwords to produce the same hash. However, cryptographic hash functions are designed in such a way that finding any password that produces the same hash is very difficult and practically infeasible, so if the produced hash matches the stored one, the user can be authenticated. The passwd command may be used to change passwords for local accounts, and on most systems, can also be used to change passwords managed in a distributed authentication mechanism such as NIS, Kerberos, or LDAP. Password fileThe In many operating systems this file is just one of many possible back-ends for the more general passwd name service. The file's name originates from one of its initial functions as it contained the data used to verify passwords of user accounts. However, on modern Unix systems the security-sensitive password information is instead often stored in a different file using shadow passwords, or other database implementations. The The Each record consists of seven fields separated by colons. The ordering of the records within the file is generally unimportant. An example record may be: The fields, in order from left to right, are:[1]
Shadow file
Systems administrators can reduce the likelihood of brute-force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the The shadow password file does not entirely solve the problem of attacker access to hashed passwords, as some network authentication schemes operate by transmitting the hashed password over the network (sometimes in cleartext, e.g., Telnet[3]), making it vulnerable to interception. Copies of system data, such as system backups written to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication checks at high rates of speed. Regardless of whether password shadowing is in effect on a given system, the passwd file is readable by all users so that various system utilities (e.g., ls) can work (e.g., to ensure that user names are shown when the user lists the contents of a folder), while only the root user can write to it. Without password shadowing, this means that an attacker with unprivileged access to the system can obtain the hashed form of every user's password. Those values can be used to mount a brute force attack offline, testing possible passwords against the hashed passwords relatively quickly without alerting system security arrangements designed to detect an abnormal number of failed login attempts. Especially when the hash is not salted it is also possible to look up these hashed passwords in rainbow tables, databases specially made for giving back a password for a unique hash. With a shadowed password scheme in use, the
The format of the shadow file is simple, and basically identical to that of the password file, to wit, one line per user, ordered fields on each line, and fields separated by colons. Many systems require the order of user lines in the shadow file be identical to the order of the corresponding users in the password file. HistoryPrior to password shadowing, a Unix user's hashed password was stored in the second field of their record in the Password shadowing first appeared in Unix systems with the development of SunOS in the mid-1980s,[10] System V Release 3.2 in 1988 and BSD4.3 Reno in 1990. But, vendors who had performed ports from earlier UNIX releases did not always include the new password shadowing features in their releases, leaving users of those systems exposed to password file attacks. System administrators may also arrange for the storage of passwords in distributed databases such as NIS and LDAP, rather than in files on each connected system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled by the security mechanisms of the underlying data repository. In 1987 the author of the original Shadow Password Suite, Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing the In the past, it was necessary to have different commands to change passwords in different authentication schemes. For example, the command to change a NIS password was yppasswd. This required users to be aware of the different methods to change passwords for different systems, and also resulted in wasteful duplication of code in the various programs that performed the same functions with different back ends. In most implementations, there is now a single passwd command, and the control of where the password is actually changed is handled transparently to the user via pluggable authentication modules (PAMs). For example, the type of hash used is dictated by the configuration of the See also
References1. ^Understanding /etc/passwd File Format2. ^{{cite web|url=http://man7.org/linux/man-pages/man5/passwd.5.html |title=passwd(5) - Linux manual page |publisher=Man7.org |date= |accessdate=2014-08-25}} 3. ^RFC 2877: 5250 Telnet Enhancements 4. ^http://man7.org/linux/man-pages/man3/crypt.3.html crypt(3) manpage 5. ^Password hashing with MD5-crypt in relation to MD5 6. ^Implementation of SHA512-crypt vs MD5-crypt 7. ^{{cite url |title=solaris - passwd (1) |url=http://www.cs.bgu.ac.il/~arik/usail/man/solaris/passwd.1.html |archiveurl=https://web.archive.org/web/20131217221941/http://www.cs.bgu.ac.il/~arik/usail/man/solaris/passwd.1.html |archivedate=2013-12-17 |deadurl=yes |website=cs.bgu.ac.il}} 8. ^1 shadow(5) man page 9. ^{{cite web|url=https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Introduction_to_System_Administration/s1-acctsgrps-rhlspec.html |title=6.3. Red Hat Enterprise Linux-Specific Information |publisher=Access.redhat.com |date=1970-01-01 |accessdate=2014-08-25}} 10. ^{{cite web|url=http://modman.unixdev.net/?sektion=5&page=passwd.adjunct&manpath=SunOS-4.1.3 |title=passwd.adjunt(5) in SunOS-4.1.3 |publisher=Modman.unixdev.net |date= |accessdate=2016-01-03}} External links
5 : Configuration files|Password authentication|Security databases|Unix authentication-related software|Unix user management and support-related utilities |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。