shadow The format of the file will not be mentioned . Let's talk about the second column —— Password column .


usually ,passwd Directly specify the password for the user ok了. But in some cases , To specify a password in advance for the user to be created , And the encrypted password , for example kickstart In the file rootpw instructions ,ansible Specify password in advance when creating user , At this time, we have to manually generate a reasonable password .

 

Let's talk about it first shadow Format of the second column in the file , It's encrypted , It has some mystery , Different special characters represent special meanings :

* ①. Leave this column blank , Namely "::", Indicates that the user does not have a password .
* ②. This column is "!", Namely ":!:", Indicates that the user is locked , Locked will not log in , But maybe other ways to log in are unlimited , as ssh The way of public key authentication ,su How .
* ③. This column is "*", Namely ":*:", It also means that the user is locked , and "!" The effect is the same .
* ④. This column "!" or "!!" start , It also means that the user is locked .
* ⑤. This column is "!!", Namely ":!!:", Indicates that the user has never set a password .
*
⑥. If the format is "$id$salt$hashed", Indicates that the user password is normal . among $id$ Of id Encryption algorithm representing password ,$1$ Indicates use MD5 algorithm ,$2a$ Indicates use Blowfish algorithm ,"$2y$" Is another algorithm length Blowfish,"$5$" express SHA-256 algorithm , and "$6$" express SHA-512 algorithm ,
Currently, it is basically used sha-512 Algorithmic , But whether it's md5 still sha-256 Still support .$salt$ Is used for encryption salt,hashed It's the real password part .

The following are used to generate clear text "123456" For example, the corresponding encryption password .

To generate md5 Algorithm's password , use openssl that will do .
openssl passwd -1 '123456' openssl passwd -1 -salt 'abcdefg' '123456'
After password generation , Copy or replace it directly to shadow The second column of the document . for example : replace root User's password
shell> field=$(awk -F ':' '/^root/{print $2}' /etc/shadow) shell>
password=$(openssl passwd -1 123456) shell> sed -i
'/^root/s%'$field'%'$password'%' /etc/shadow
but openssl passwd Build not supported sha-256 and sha-512 Algorithm's password . stay CentOS
6 upper , With the help of grub Password generation tool provided grub-crypt generate .
[[email protected] ~]# grub-crypt -h Usage: grub-crypt [OPTION]... Encrypt a
password.-h, --help Print this message and exit -v, --version Print the version
informationand exit --md5 Use MD5 to encrypt the password --sha-256 Use SHA-256
to encrypt the password--sha-512 Use SHA-512 to encrypt the password (default)
Report bugs to<[email protected]>. EOF [[email protected] ~]# grub-crypt --sha-512
Password: Retype password: $
6$nt4hMDAYqYjudvfo$AKIZ3Z0o6/6HV6GKXqq21VEmh.ADFAZUQw2mvbIlplKx7gu9MQiEWjdmHnF2YPnYzgce1cP/bzDguVnUkMg/N.
grub-crypt It's actually a python script , Generate password interactively . Here is grub-crypt Contents of the document .
[[email protected] ~]# cat /sbin/grub-crypt #! /usr/bin/python '''Generate
encrypted passwords for GRUB.''' import crypt import getopt import getpass
import sys def usage(): '''Output usage message to stderr and exit.''' print >>
sys.stderr,'Usage: grub-crypt [OPTION]...' print >> sys.stderr, 'Try `$progname
--help\' for more information.' sys.exit(1) def gen_salt(): # Generate random salt '''
Generate a random salt.''' ret = '' with open('/dev/urandom', 'rb') as urandom:
while True: byte = urandom.read(1) if byte in ('
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' './0123456789'): ret +=
byteif len(ret) == 16: break return ret def main(): '''Top level.''' crypt_type
='$6$' # SHA-256 try: opts, args = getopt.getopt(sys.argv[1:], 'hv', ('help', '
version', 'md5', 'sha-256', 'sha-512')) except getopt.GetoptError, err: print >>
sys.stderr, str(err) usage()if args: print >> sys.stderr, 'Unexpected argument
`%s\'' % (args[0],) usage() for (opt, _) in opts: if opt in ('-h', '--help'):
print ( '''Usage: grub-crypt [OPTION]... Encrypt a password. -h, --help Print
this message and exit -v, --version Print the version information and exit
--md5 Use MD5 to encrypt the password --sha-256 Use SHA-256 to encrypt the
password --sha-512 Use SHA-512 to encrypt the password (default) Report bugs to
<[email protected]>. EOF''') sys.exit(0) elif opt in ('-v', '--version'): print '
grub-crypt (GNU GRUB 0.97)' sys.exit(0) elif opt == '--md5': crypt_type = '$1$'
elif opt == '--sha-256': crypt_type = '$5$' elif opt == '--sha-512': crypt_type
='$6$' else: assert False, 'Unhandled option' password = getpass.getpass('
Password:') password2 = getpass.getpass('Retype password: ') if not password:
print >> sys.stderr, 'Empty password is not permitted.' sys.exit(1) if password
!= password2: print >> sys.stderr, 'Sorry, passwords do not match.' sys.exit(1)
salt= crypt_type + gen_salt() print crypt.crypt(password, salt) # Generate final encrypted password if
__name__ == '__main__': main()
Unfortunately ,CentOS
7 The default installation on is grub2, It does not provide grub-crypt. So refer to grub-crypt content , Use the following python Statement simple substitution grub-crypt, It's also interactive .
python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if
(pw==getpass.getpass("Confirm: ")) else exit())'
If you don't want to interact , Change to the following form :
python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))'
It's much more convenient now , Just assign the result to the variable directly .
[[email protected] ~]# a=$(python -c 'import
crypt,getpass;pw="123456";print(crypt.crypt(pw))') [[email protected] ~]# echo $a
$6$uKhnBg5A4/jC8KaU$scXof3ZwtYWl/6ckD4GFOpsQa8eDu6RDbHdlFcRLd/2cDv5xYe8hzw5ekYCV5L2gLBBSfZ.Uc166nz6TLchlp.
for example ,ansible Create user and specify password :
a=$(python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))')
ansible192.168.100.55 -m user -a 'name=longshuai5 password="$a"
update_password=always'