shadow The format of the file will not be mentioned. Let's talk about the second column—— Cipher column.


usually,passwd Directly specify the password for the userok了. But in some cases, To specify a password in advance for the user to be created, And the encrypted password, for examplekickstart Documentrootpw instructions,ansible Specify password in advance when creating user, At this time, we have to manually generate a reasonable password.

 

Let's talk about it first.shadow Format of the second column in the file, It's encrypted, It has some mystery, Different special characters represent special meanings:

* ①. Leave the column blank. Namely"::", Indicates that the user does not have a password.
* ②. The column is"!", Namely":!:", Indicates that the user is locked, Locked will not log in, But maybe other ways to log in are unlimited, asssh The way of public key authentication,su Way.
* ③. The column is"*", Namely":*:", It also means that the user is locked, and"!" The effect is the same.
* ④. This column takes"!" or"!!" Start, It also means that the user is locked.
* ⑤. The column is"!!", Namely":!!:", Indicates that the user has never set a password.
*
⑥. If the format is"$id$salt$hashed", Indicates that the user password is normal. among$id$ Ofid Encryption algorithm representing password,$1$ Express useMD5 algorithm,$2a$ Express useBlowfish algorithm,"$2y$" Is another algorithm lengthBlowfish,"$5$" ExpressSHA-256 algorithm, and"$6$" ExpressSHA-512 algorithm,
Currently, it is basically usedsha-512 Algorithm, But no matter whatmd5 stillsha-256 Still support.$salt$ Is used for encryptionsalt,hashed That's the real part of the code.

The following are used to generate clear text"123456" For example, the corresponding encryption password.

To generatemd5 Algorithm's password, Useopenssl that will do.
openssl passwd -1 '123456' openssl passwd -1 -salt 'abcdefg' '123456'
After password generation, Copy or replace it directly toshadow The second column of the document. for example: replaceroot User's password
shell> field=$(awk -F ':' '/^root/{print $2}' /etc/shadow) shell>
password=$(openssl passwd -1 123456) shell> sed -i
'/^root/s%'$field'%'$password'%' /etc/shadow
butopenssl passwd Build not supportedsha-256 andsha-512 Algorithm's password. stayCentOS
6 upper, With the help ofgrub Password generation tool providedgrub-crypt generate.
[[email protected] ~]# grub-crypt -h Usage: grub-crypt [OPTION]... Encrypt a
password.-h, --help Print this message and exit -v, --version Print the version
informationand exit --md5 Use MD5 to encrypt the password --sha-256 Use SHA-256
to encrypt the password--sha-512 Use SHA-512 to encrypt the password (default)
Report bugs to<[email protected]>. EOF [[email protected] ~]# grub-crypt --sha-512
Password: Retype password: $
6$nt4hMDAYqYjudvfo$AKIZ3Z0o6/6HV6GKXqq21VEmh.ADFAZUQw2mvbIlplKx7gu9MQiEWjdmHnF2YPnYzgce1cP/bzDguVnUkMg/N.
grub-crypt It's actually apython Script, Generate password interactively. Below isgrub-crypt Contents of the document.
[[email protected] ~]# cat /sbin/grub-crypt #! /usr/bin/python '''Generate
encrypted passwords for GRUB.''' import crypt import getopt import getpass
import sys def usage(): '''Output usage message to stderr and exit.''' print >>
sys.stderr,'Usage: grub-crypt [OPTION]...' print >> sys.stderr, 'Try `$progname
--help\' for more information.' sys.exit(1) def gen_salt(): # Generate randomsalt '''
Generate a random salt.''' ret = '' with open('/dev/urandom', 'rb') as urandom:
while True: byte = urandom.read(1) if byte in ('
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' './0123456789'): ret +=
byteif len(ret) == 16: break return ret def main(): '''Top level.''' crypt_type
='$6$' # SHA-256 try: opts, args = getopt.getopt(sys.argv[1:], 'hv', ('help', '
version', 'md5', 'sha-256', 'sha-512')) except getopt.GetoptError, err: print >>
sys.stderr, str(err) usage()if args: print >> sys.stderr, 'Unexpected argument
`%s\'' % (args[0],) usage() for (opt, _) in opts: if opt in ('-h', '--help'):
print ( '''Usage: grub-crypt [OPTION]... Encrypt a password. -h, --help Print
this message and exit -v, --version Print the version information and exit
--md5 Use MD5 to encrypt the password --sha-256 Use SHA-256 to encrypt the
password --sha-512 Use SHA-512 to encrypt the password (default) Report bugs to
<[email protected]>. EOF''') sys.exit(0) elif opt in ('-v', '--version'): print '
grub-crypt (GNU GRUB 0.97)' sys.exit(0) elif opt == '--md5': crypt_type = '$1$'
elif opt == '--sha-256': crypt_type = '$5$' elif opt == '--sha-512': crypt_type
='$6$' else: assert False, 'Unhandled option' password = getpass.getpass('
Password:') password2 = getpass.getpass('Retype password: ') if not password:
print >> sys.stderr, 'Empty password is not permitted.' sys.exit(1) if password
!= password2: print >> sys.stderr, 'Sorry, passwords do not match.' sys.exit(1)
salt= crypt_type + gen_salt() print crypt.crypt(password, salt) # Generate final encrypted password if
__name__ == '__main__': main()
Unfortunately,CentOS
7 The default installation on isgrub2, It does not providegrub-crypt. Therefore referencegrub-crypt content, Use the followingpython Statement simple substitutiongrub-crypt, It's also interactive.
python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if
(pw==getpass.getpass("Confirm: ")) else exit())'
If you don't want to interact, Change to the following form:
python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))'
It's much more convenient now, Just assign the result to the variable directly.
[[email protected] ~]# a=$(python -c 'import
crypt,getpass;pw="123456";print(crypt.crypt(pw))') [[email protected] ~]# echo $a
$6$uKhnBg5A4/jC8KaU$scXof3ZwtYWl/6ckD4GFOpsQa8eDu6RDbHdlFcRLd/2cDv5xYe8hzw5ekYCV5L2gLBBSfZ.Uc166nz6TLchlp.
for example,ansible Create user and specify password:
a=$(python -c 'import crypt,getpass;pw="123456";print(crypt.crypt(pw))')
ansible192.168.100.55 -m user -a 'name=longshuai5 password="$a"
update_password=always'