¦p¦ó¨ú±o¡A¦w¸Ë¡A³]©w shadow ±K½X <author>§@ªÌ:¡@Michael H. Jackson, <tt><htmlurl url="mailto:mhjack@tscnet.com" name="mhjack@tscnet.com"></tt><newline> ĶªÌ:¡@Sung Min-Ju, <tt><htmlurl url="mailto:songmj@ms1.hinet.net" name="songmj@ms1.hinet.net"></tt> <date>v1.3, 3 April 1996 ½Ķ¤é´Á:¡@15 MAY 2000 <abstract> ³o¥÷¤å¥ó¥D­n´y­z¦p¦ó¨ú±o¡A¦w¸Ë©M³]©w <em>Shadow Suite</em> ±K½X¡C ¥¦¤]´y­z¨ú±o©M¦w¸Ë»Ý­n¦s¨ú¨Ï¥ÎªÌ±K½X¤§¨ä¥L³nÅé©Mºô¸ôºÊ±±µ{¦¡(network daemons)¡C ³o¨Ç¨ä¥L³nÅ餣¬O Shadow Suit ªº¯u¹ê³¡¤À¡A¦ý¬O³o¨Çµ{¦¡±N»Ý­n³Q­«·s½sĶ¥Î¥H¤ä´© <em>Shadow Suite</em> ¡C³o¥÷¤å¥ó¥ç¥]¬A¤@­Óµ{¦¡½d¨Ò¡G¹ïµ{¦¡¥[¤J shadow ¤ä´©¡C ¥»¤åµ²§À³¡¤À¬°±`°Ý°ÝÃD¤Îµª®×¡C </abstract> <!-- Table of contents --> <toc> <!-- Begin the document --> <sect><heading>²¤¶ <p> ³o½g¤å³¹¬° Linux Shadow-Password-HOWTO¡C ¥D­n¬O¦b´y­z¬°¦ó¤Î¦p¦ó©ó Linux ¨t²Î¥[¤J shadow ±K½X¤ä´©¡C ¨ä¥ç¥]¬A¦p¦ó¨Ï¥Î <em>Shadow Suite's</em> ¬Y¨Ç½d¨Ò¡C <p> ·í¶i¦æ <em>Shadow Suite</em> ¦w¸Ë¤Î¨Ï¥Î³\¦hªº utility µ{¦¡®É¡E§A¥²¶·¥H <em>root</em> Åv­­Ã±¤J¡C ¥B¶i¦æ <em>Shadow Suite</em> ¦w¸Ë®É¡A¨t²Î³nÅé±N³Q§ïÅÜ¡A¦]¦¹±j¯Pªº«Øij ±z·Ó»¡©úÀɳƤÀµ{¦¡¡C¦b¦¹±j½Õ¦b±z¶}©l§@·~«e»Ý¥ý¾\Ū¤Î¤F¸Ñ©Ò¦³ªº»¡©ú®Ñ¡C <sect1><heading>§ó§ï¤W¤@ª©¥»³¡¤À <p> <verb>·s¼W¡G ·s¼W¤@­Ó¤l¸`¡G¬°¦ó±z¤£­n¦w¸Ë shadow ·s¼W¤@­Ó¤l¸`¡G­×§ï xdm µ{¦¡ ·s¼W¤@¸`¡G¬°¦ó±z¤£­n¦w¸Ë shadow ·s¼W¤@¸`¡G¦p¦ó©ó¥¼¨Ó¹B§@ Shadow Suite ·s¼W¤@¸`¡G±`°Ý°ÝÃD¤Îµª®× §ó¥¿/­×§ï¡G §ó¥¿¦b Sunsite ªº html °Ñ¦Ò¸ê®Æ §ó¥¿¦b wu-ftp ¸`¦b Makefile ·s¼W -lshadow §ó¥¿¸û¤£ÄY­««÷­µ©M±¹µü¿ù»~ §ó§ï wu-ftp ¸`¥Î¥H¤ä´© ELF ­×§ï¦b¤£¦Pñ¤J(login)µ{¦¡¦w¥þ°ÝÃD ­×§ï Linux Shadow Suite «Øij¬° Marek Michalkiewicz </verb> <sect1><heading>·sª©¤å¥ó <p> ±z¥i§Q¥Î°Î¦WÀɶi¤J¸Ó FTP ¯¸¤U¸ü³Ì·sª©¤å¥ó¡G <bf>sunsite.unc.edu</bf> <verb>/pub/Linux/docs/HOWTO/Shadow-Password-HOWTO</verb> or: <verb>/pub/Linux/docs/HOWTO/other-formats/Shadow-Password-HOWTO{-html.tar,ps,dvi}.gz</verb> ©Î³z¹Lºô¯¸¡G <url url="http://sunsite.unc.edu/mdw/linux.html" name="Linux Documentation Project Web Server">¡Aºô­¶¡G <url url="http://sunsite.unc.edu/linux/HOWTO/Shadow-Password-HOWTO.html" name="Shadow-Password-HOWTO"> ©Î»P§ÚÁpµ¸¡G <tt><mhjack@tscnet.com></tt>. ¥ç¥i³z¹L·s»D¸s²Õ±i¶K¡G <tt>comp.os.linux.answers</tt> <p> ³o¨Ç¤å¥ó²{¦b¤w¸g¥]©ó Shadow-YYDDMM ®M¥ó¤¤¡C <sect1><heading>¦^ÂÐ <p> ½Ð±N¥ô¦óµû»y¡B­×§ï©Î«Øij±H¦Ü¡G <htmlurl url="mailto:mhjack@tscnet.com" name="Michael H. Jackson <mhjack@tscnet.com>"> §Ú·|ºÉ§Ö¦^ÂШç󥿸Ӥå¥ó¡C ¦pªG§Aµo²{¥ô¦ó°ÝÃD¡A½Ðª½±µ email µ¹§Ú¡A§Ú·|±N¦¹³Ì·s§Þ³N±i¶K©ó·s»D¸s²Õ¡C <sect><heading>¬°¦ó shadow §Aªº passwd ÀÉ? <p> ¤j³¡¤À¥Ø«e Linux µo¦æª©¥»¹w³]­È¨Ã¥¼¥]§t<em>Shadow Suite</em> ¦w¸Ë¡C ³o¨Çª©¥»¥]¬A Slackware 2.3, Slackware 3.0 ©M¨ä¥L¨üÅwªïªºµo¦æª©¥»¡C ¥D­n­ì¦]¤§¤@¬O¦b­ì©l<em>Shadow Suite</em>ª©ÅvÁn©ú¤¤¨Ã¥¼«Ü²M·¡ªº´y­z¸Ó³nÅé¬O §_»Ý¨Ï¥ÎªÌ¥I¶O¡C Linux ¨Ï¥Î GNU ª©Åv³q±`¤¹Äò¨Ï¥ÎªÌ¥i§K¶O¥B¥ô·N¨Ï¥Î¬ÛÃö®M¥ó¡C <p> <em>Shadow Suite</em>²{¦bºûÅ@¤H­û<htmlurl url="mailto:marekm@i17linuxb.ists.pwr.wroc.pl" name="Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>"> ¤w¸g¥i¥H±q¦b BSD ¼Ë¦¡¤¹»Ý¦A¨Ï¥Îª©Åv¤§­ì©l§@ªÌ¨º±µ¦¬­ì©l½X¡C ¥Ø«eª©Åvµo¦æ¤w ¸Ñ¨M¡A¦]¦¹¥i¥H¹w´Á¦b¥¼¨Óª©¥»¤§¹w³]­È±N¥]¬A password shadowing¡C §Y¨Ï¦p¦¹¡A §A¤´»Ý­n¦Û¦æ¦w¸Ë¡C <p> ¦pªG§Aªºª©¥»¬O±q CD-ROM ¦w¸Ë¡C§A¥i¯àµo²{§Y¨Ï¥Ø«eª©¥»¨Ã¥¼¦³<em>Shadow Suite</em> ¦w¸Ë¡A¦ý§A¤´µM¥i¥H¦b¸Ó¤ù CD-ROM §ä¨ì§A»Ý­n¦w¸Ëªº<em>Shadow Suite</em>¡C <p> <em>µM¦Ó¡A©Ò¦³Shadow Suite 3.3.1, 3.3.1-2 ª©¥»©M shadow-mk ¦ñÀHñ¤J(login)µ{¦¡©M ¨ä¥L<em>suid root</em>µ{¦¡§¡¦³¦w¥þ¤W°ÝÃD¡A¦]¦¹¤£À³¸Ó¨Ï¥Î¤Ó¤[¡C </em> <p> ©Ò¦³¥²­nÀɮק¡¥i¥H³z¹L°Î¦W FTP ¯¸©Îºô¯¸§ä¨ì¡C <p> ¦b¨S¦³¦w¸Ë<em>Shadow Suite</em>ªº Linux ¨t²Î¡A¥]¬A±K½Xªº±b¸¹¨Ï¥ÎªÌ¸ê°T³q±`Àx¦s¦b <tt>/etc/passwd</tt> ÀÉ¡C Àx¦sªº±K½X¬° <em>¥[±K(encrypted)</em>®æ¦¡¡C µM¦Ó¡A¦pªG§A°Ý¤@­Ó±K½X±M®a¡A¥L/¦o±N §i¶D§A¯u¥¿ªº±K½XÀÉ¥u¬O<em>½s½X(encoded)</em>¦Ó¤£¬O<em>¥[±K</em>®æ¦¡¡A¦]¬°·í¨Ï¥Î crypt(3) ®É¡A¤å¦rÀÉ­¿³]¬° null ¥B±K½X¬OÁä­È(key)¡C ¦]¦¹¡A±µ¤U¨Ó§Ú±N¦b³o½g¤å¥ó¤¤¨Ï¥Î <em>½s½X</em>¡C <p> ¨Ï¥Î¦b±K½XÄæ¦ì½s½Xªººtºâªk©ó§Þ³N¤W¬O¨Ï¥Î<em>one way hash function</em>¡C³o¬O¤@­Ó ¦b³æ¤@¤è¦V­pºâ²³æ¦ý°f¦V­pºâ«D±`§xÃøªººtºâªk¡CÃö©ó³o¥¿½Tªººtºâªk¥i¥H¦b 2.4 ¸`©Î ©ó crypt(3) ¾Þ§@¤â¥U§ä¨ì¡C <p> ·í¨Ï¥ÎªÌ¬D¿ï©Î«ü©w¤@­Ó±K½X¡A¨t²Î±NÀH¾÷²£¥Í¤@­Ó­È¡A¥s°µ<em>salt</em>¡A±N±K½X¶i¦æ ½s½X¡C ³oªí¥Ü¥ô¦ó¯S©wªº±K½X¥i¥H 4096 ¤¤¤£¦P¤èªkÀx¦s¡C <em>salt</em> ­È±NÀx¦s³Q½s ½Xªº±K½X ¡C <p> ·í¨Ï¥ÎªÌñ¤J©Î´£¨Ñ¤@­Ó±K½X¡A <em>salt</em> ­º¥ý±µ¦¬±ýÀx¦s½s½X±K½X¡CµM«á³o´£¨Ñ±K½X ·|©M <em>salt</em> ­È¤@°_<em>½s½X</em>¡A¥B¤ñ¸û¤w¸g<em>½s½X</em>±K½X¡C¦pªG¦³ match ¡A¸Ó¨Ï¥ÎªÌ³q¹LÅv­­Àˬd¡C <p> ÀH¾÷<em>½s½X</em>©M´_­ì­ì©l±K½X¬O¦³­pºâ½ÆÂø«×ªº(¦ý¤£¬O¤£¥i¯àªº)¡CµM¦Ó¡A¦b¬Y¨Ç¨t²Î «Ü¦h¨Ï¥ÎªÌªº±K½X³£³]¬°¤@¯ë¤å¦r(©Î¬O¤@¯ë¤å¦rªºÂ²³æÅܤÆ) <p> ¨t²ÎÀb«Èª¾¹D³o¥ó¨Æ¡A¥B±N²³æªº¥[±K¤å¦r©M¤@¯ë¨Ï¥Î4096 <em>salt</em> ­È±K½X¤§¥Ø¿ý¡CµM «á¥L­Ì±N¤ñ¸û¦b¸ê®Æ®w¤§ <tt>/etc/passwd</tt> Àɤ§½s½X±K½X¡A¥u­n¥L­Ì§ä¨ì¤@­Ó¤ñ¹ï¡A¥L­Ì ¥i¥H§ä¨ì¤@­Ó±b¸¹¤§±K½X¡C³o©M<em>dictionary attack</em>¦³Ãö¡A¥B¥Î©ó¥¼¸g³\¥i¦s¨ú¨t²Î¨ú ±o©M®i¶}±`¥Îªº¤èªk¤§¤@¡C <p> ¦pªG§A·Q¹L¤@­Ó 8 ½Xªº±K½X½s½X¦¨ 4096 * 13 ½Xªº¦r¦ê¡A¨º»ò¤@­Ó¥Î¦b´y­z 400,000 ¤@¯ë¤å¦r ¡B¦W¦r¡B±K½X©M²³æÅܤƪº¦r¨å±N»Ý­n 4GB µwºÐ¦s¨úªÅ¶¡¡C Àb«È»Ý­n°µªº¥u¬O¤ÀÃþ¦r¦ê¸òÀˬd ¤ñ¹ïµ²ªG¡C ¦Û±q 4GB µwºÐ¥i¥H¥H¬üª÷ 1000.00 ¥H¤U¶R¨ì«á¡A¹ï¤j¦h¼Æ¨t²ÎÀb«Èªº·N¸q¥i·Q¦Ó ª¾ ¡C <p> ¦pªGÀb«È­º¥ýµo²{§Aªº <tt>/etc/passwd</tt> ÀÉ¡A¥L­Ì¥u»Ý­n±N¯u¥¿¥]§t¦b <tt>/etc/passwd</tt> ÀÉ <tt>salt</tt> ­Èªº¦r¨å½s½X¡A³o¤èªk¥i¥Ñ¾Ö¦³486¯Å¹q¸£©Î´X­Ó¦³ ´X¦Ê MB µwºÐªÅ¶¡ªº¤Q¨Ó·³ªº¤p«Ä¾A¥Î¡C <p> §Y¨Ï¨S¦³«Ü¤jªººÏºÐªÅ¶¡¡A¹³ crack(1) ªº¤u¨ãµ{¦¡³q±`¥i¥H¦b¨¬°÷¨Ï¥ÎªÌ¨t²Î¤¤¦Ü¤Ö¯}¸Ñ¤@¹ï ±K½X¡]°²³]¨t²Î¨Ï¥ÎªÌ­¿¤¹³\¬D¿ï¥L­Ì·Q­nªº±K½X¡^¡C <p> <tt>/etc/passwd</tt> Àɤ]¥]¬A¤@¨Ç¬ÛÃö¸ê°T¡A¹³¨Ï¥ÎªÌ ID¡@©M¸s²Õ ID©Ò¨Ï¥Îªº¨t²Îµ{¦¡¡F¦]¦¹ <tt>/etc/passwd</tt> ÀÉ <em>¥²¶·</em> «O«ù¥þ¥@¬É¥iŪ©Ê. ¦pªG§A§ïÅÜ <tt>/etc/passwd</tt> ÀÉ¥H­P©ó¨S¦³¤H¥i¥HŪ¨ú¡A§A±Nµo²{ªº²Ä¤@¥ó¨Æ¬O <tt>ls -l</tt> ©R¥O±N¨ú¥N¦WºÙ¦ÓÅã¥Ü¨Ï¥ÎªÌ ID ¡C <p> <em>Shadow Suite</em> ³z¹L±N±K½X¦s¦Ü¥t¤@­ÓÀÉ¡]³q±`¬O <tt>/etc/shadow</tt> ÀÉ¡^¨Ó¸Ñ¨M¸Ó °ÝÃD¡C <tt>/etc/shadow</tt> Àɹï¥ô¦ó¤H³]©w¥iŪÀÉ¡A¥u¦³ <em>root</em> Åv­­¥i¥HŪ¼g <tt>/etc/shadow</tt> ÀÉ¡C¬Y¨Çµ{¦¡¡]¹³ xlock¡^¤£»Ý­n§ïÅܱK½X¡A¥u»Ý­n½T»{±K½X§Y¥i¡C³o¨Çµ{¦¡ ¥i¥H¥H <em>suid root</em> °õ¦æ©ÎªÌ§A¥i¥H³]©w¤@­Ó¸s²Õ <em>shadow</em> ¥Î¨Ó°ßŪ <tt>/etc/shadow</tt> ÀÉ¡AµM«á³o¨Çµ{¦¡¥i¥H°õ¦æ <em>sgid¡@shadow</em>¡C <p> ³z¹L²¾°Ê±K½X¦Ü <tt>/etc/shadow</tt> ÀÉ¡A§Ú­Ì¥i¥H¦³¤Oªº³Æ¦³Àb«È±q¦s¨ú½s½X±K½X¨ì°õ¦æ <em>dictionary attack</em> ªºÃÒ¾Ú¡C <p> °£¦¹¤§¥~¡A <em>Shadow Suite</em> ·s¼W³\¦h¯S¦â¡G <itemize> <item>³]©wÀÉ©ó³]©w¬°Ã±¤J®É¹w³](<tt>/etc/login.defs</tt>) <item>·s¼W¡B­×§ï©M§R°£¨Ï¥ÎªÌ±b¸¹¸s²Õ¤§¤u¨ãµ{¦¡ <item>±K½X¹Ø©R­pºâ¤Î¨ì´Á¤é <item>±b¸¹¨ì´Á¤é¸òÂꦺ <item>ÁôÂøs²Õ±K½X (¥i¿ï¾Üªº) <item>¨â­¿ªø«×±K½X (16 ¦r¤¸±K½X) [¤£«Øij¨Ï¥Î] <item>°w¹ï¨Ï¥ÎªÌ±K½X¿ï¾Ü¦³¸û¦nªº±±¨î <item>¥i¼·±µ±K½X <item>³Æ¥Î¦³®ÄÅv­­µ{¦¡ [¤£«Øij¨Ï¥Î] </itemize> <p> ¦w¸Ë <em>Shadow Suite</em> °^Äm¬°¦³§ó¦w¥þ¨t²Î¡A¦ý¬OÁÙ¦³¨ä¥L¤èªk¥i¥H§ïµ½ Linux ¨t²Îªº¦w¥þ ¡A¥B³Ì²×±N¦³¤@¨t¦Cªº Linux ¦w¥þ HOWTO's ±N°Q½×¨ä¥L¦w¥þ°ò·Ç©M¬ÛÃö¤å¥óª©¥»¡E <p> °w¹ï¥Ø«e¨ä¥L Linux ¦w¥þ¤å¥ó¸ê°T¡A½Ð°Ñ·Óºô§}¡G<url url="http://bach.cis.temple.edu/linux/linux-security/" name="Linux Security home page."> <sect1><heading>¬°¦ó±z¤£­n shadow §Aªº passwd ÀÉ <p> ¦³¤@¨Çª¬ªp¸ò³]©w¹B¥Î¦b¦w¸Ë <em>Shadow Suite</em> ±N <em>¤£¬O</em> ¦n¥D·N¡G¡@ There are a few circumstances and configurations in which installing the <em>Shadow Suite</em> would <em>NOT</em> be a good idea: <itemize> <item>¥D¾÷¨S¦³¥]§t¨Ï¥ÎªÌ±b¸¹¡C <item>¥D¾÷¬O¦b LAN ¤W¶]¥B¨Ï¥Îºô¸ô¸ê°TªA°È(Network Information Services, NIS)±o¨ì©Î¨ÑÀ³¨Ï¥ÎªÌ¦WºÙ©M±Kµ¹ºô¸ô¤Wªº¨ä¥L¾÷¾¹¨Ï¥Î(¨Æ¹ê¤W³oÁÙ¬O ¥i¥H°õ¦æ¡A¦ý¬O¹ê»Ú¤W¨Ã¤£¯à¼W¥[¥ô¦ó¦w¥þ)¡C <item>¾÷¾¹¬O¨Ï¥Î²×ºÝ¥D¾÷¨ÓÅçÃҨϥΪ̸g¥Ñ NFS(Network File System), NIS ©Î ¬Y¨Ç¨ä¥L¤èªk¡C <item>¾÷¾¹¶]¨ä¥L³nÅéÅçÃҨϥΪ̥B¨S¦³¥ô¦ó shadow ª©¥»©Î­ì©l½X¥iÀò±o¡C </itemize> <sect1><heading>®æ¦¡¤Æ /etc/passwd ÀÉ <p> ¤@­Ó non-shadowed <tt>/etc/passwd</tt> Àɮ榡¦p¤U©Ò¥Ü¡G <tscreen><verb>username:passwd:UID:GID:full_name:directory:shell</verb></tscreen> ¨ä¤¤ <descrip> <tag/<tt>username</tt></tag> ¨Ï¥ÎªÌ(ñ¤J)¦WºÙ <tag/<tt>passwd</tt></tag> ½s½X±K½X <tag/<tt>UID</tt></tag> ¨Ï¥ÎªÌ½s¸¹ <tag/<tt>GID</tt></tag> ¹w³]¦s²Õ½s¸¹ <tag/<tt>full_name</tt></tag> ¨Ï¥ÎªÌ¥þ¦W - ¨Æ¹ê¤W³o­ÓÄæ¦ìºÙ§@ GECOS (General Electric Comprehensive Operating System) Äæ¦ì¥B¥i¥HÀx¦s¥þ¦W¥~ªº¸ê°T¡CShadow commands and manual pages refer to this field as the comment field. <tag/<tt>directory</tt></tag> ¨Ï¥ÎªÌ®Ú¥Ø¿ý (µ´¹ï¸ô®|) <tag/<tt>shell</tt></tag> ¨Ï¥ÎªÌñ¤JªºÀô¹Ò (µ´¹ï¸ô®|) </descrip> Á|¨Ò»¡©ú¡G <tscreen><verb>username:Npge08pfz4wuk:503:100:Full Name:/home/username:/bin/sh</verb> </tscreen>¡@¤¤¡A<tt>Np</tt> ¬O salt ¥B <tt>ge08pfz4wuk</tt> ¬O<em>½s½X</em>±K½X¡C ¤w½s½Xªº salt/password ´N¹³ <tt>kbeMVnZM0oL7I</tt> ¥B³o¨â­Ó¦r¦ê¬O¤@¼Ëªº±K½X¡C¹ï¬Û¦P ±K½X¥i¯à¦³ 4096 ºØ¥i¯àªº½s½X¡C(¥»½d¨Òªº±K½X¬O "passwaor"¡A³o¬O¤ñ¸û <em>¤£¦n</em> ªº±K½X)¡C <p> ¥u­n shadow suite ¤w¸g¦w¸Ë¡A <tt>/etc/passwd</tt> ÀɱN³Q´À¥N¦¨¡G <tscreen><verb>username:x:503:100:Full Name:/home/username:/bin/sh</verb></tscreen> ¥»½d¨Ò¤§²Ä¤GÄæ¦ì <tt>x</tt> ²{¦b¥u¬O¤@­Ó¡@place holder¡C¡@<tt>/etc/passwd</tt>Àɪº®æ¦¡ ¨Ã¥¼¯uªº§ïÅÜ¡A¥u¬O¤£¦A¥]§t <em>½s½X</em>±K½X¡C³oªí¥Ü¥ô¦óµ{¦¡¥i¥HŪ¨ú <tt>/etc/passwd</tt> ÀÉ¡A¦ý¨Ã¤£¯uªº»Ý­n½T»{±K½X¬O¤£¬O¥¿½T¦a¹B§@¡C <p> ³o¨Ç±K½X²{¦b³Q­«·s©ñ¦b shadow ÀÉ(³q±`¬O¦b <tt>/etc/shadow</tt> ÀÉ)¡C <sect1><heading>®æ¦¡¤Æ shadow ÀÉ <p> <tt>/etc/shadow</tt> ÀÉ¥]¬A¤U¦C¸ê°T¡G <tscreen><verb>username:passwd:last:may:must:warn:expire:disable:reserved</verb></tscreen> ¨ä¤¤ <descrip> <tag/<tt>username</tt></tag> ¨Ï¥ÎªÌ¦WºÙ <tag/<tt>passwd</tt></tag> ½s½X±K½X <tag/<tt>last</tt></tag> ±K½X¤W¦¸§ó°Ê¤é´Á¡A¥H±q1970¦~1¤ë1¤éºâ°_ªº¤Ñ¼Æ¥Nªí <tag/<tt>may</tt></tag> ±K½X§ïÅÜ«e¤Ñ¼Æ <tag/<tt>must</tt></tag> ±K½X³Ì±`¨Ï¥Î¤Ñ¼Æ <tag/<tt>warn</tt></tag> ¥Nªí´Á­­«e´X¤Ñ´N¨Æ¥ýĵ§i¨Ï¥ÎªÌ <tag/<tt>expire</tt></tag> ¶W¹L±K½X¹L´Á¤Ñ¼Æ«á¡A´NÃö³¬¸Ó±b¸¹ <tag/<tt>disable</tt></tag> ±b¸¹Ãö³¬¡A¥H±q1970¦~1¤ë1¤éºâ°_ªº¤Ñ¼Æ¥Nªí <tag/<tt>reserved</tt></tag> ¹w³ÆÄæ¦ì </descrip> ¨Ì·Ó¤§«e½d¨Ò±NÅܦ¨¡G <tscreen><verb>username:Npge08pfz4wuk:9479:0:10000::::</verb></tscreen> <sect1><heading>¦^ÅU crypt(3). <p> ±q crypt(3) ¨Ï¥ÎªÌ¤å¥ó±o¨ì¡G <p> &dquot;<em>crypt</em> ¬O±K½X¥[±K¤èµ{¦¡¡C It is based on the <em>Data Encryption Standard</em> algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search. <p> [The] key ¬O¨Ï¥ÎªÌ¿é¤Jªº±K½X¡C [½s½X¦r¦ê¥þ¬O NULLs] <p> [The] <em>salt</em> ¬O±q [a-zA-Z0-9./] ¶°¦X¤¤¿ï¥Xªº¨â­Ó¦ì¤¸¦r¦ê¡C ¸Ó¦r¦ê¬O¥Î©óÂZ¶Ã¦b 4096 ºØ¤£¦P¤èªk¤§¤@­Óºtºâªk¡C <p> ³z¹L±o¨ì key ªº¨C­Ó¦ì¤¸ªº³Ì§C 7 bit[s]¡A¥i¥H«Ø¥ß 56-bit key ¡C ³o56-bit key ¬O¥Î¦b­«½Æ¥[±K¤@­Ó±`¼Æ¦r¦ê(³q±`¬O¥]§t©Ò¦³ÆFªº¦r¦ê)¡C ¶Ç¦^­È«ü¨ì¥[±K±K½X¬O¤@³s¦ê ¥i¦L¥X¤§13­Ó ASCII ¦r¤¸(³Ì«e­±ªº¤@¨â­Ó¦r¤¸ªí¥Ü salt ¥»¨­)¡C ³z¹L¨C¦¸ªº©I¥s¥i±N ¶Ç¦^ª½«ü¨ìÀRºA¸ê®Æ¡C <p> <bf>ĵ§i°T®§¡G</bf> Key space ¥]¬A 2**56 §Yµ¥©ó 7.2e16 ¥i¯àªº­È¡C»P¥Î­«¤jªº¥­¦æ¹q¸£ ±N Key space ·¥ºÉªº·j´M<bf>¬O¥i¯à</bf>¡C¹³ <tt>crack(1)</tt> ³nÅé¥Î¨Ó·j´M³¡¤Àªº¥Ñ¤H ²£¥Í¤§±K½Xªº key space ¬O¥iÀò±oªº¡C¦]¦¹¡A±K½Xªº¿ï¾Ü¦Ü¤ÖÀ³¸ÓÁקK¨Ï¥Î¤@¯ë¦r¤Î¦W¦r¡C ¤@­Ó¥Î¨ÓÀˬd¸Ñ¶}±K½X¿ï¾Üªº <tt>passwd(1)</tt> µ{¦¡¨Ï¥Î¬O­È±o±ÀÂ˪º¡C <p> DES ºtºâªk¥»¨­¦³¤@¨Ç¨Ï <tt>crypt(3)</tt> ¦b¥ô¦ó¨ä¥L±K½XÅv­­°Ï¹j¤¶­±«Ü®t¿ï¾Üªº¨Ï¥Î ¤è­±¼@ÅÜ¡C¦pªG§A­pµe¨Ï¥Î <tt>crypt(3)</tt> ¤¶­±¨Ó¥[±K­pµe¡A¥H¤U´y­z¤d¸U§O³o»ò§@¡G ±o­n¤@¥»¥[±K¦n®Ñ©M¼sªxÀò±o DES µ{¦¡®w .&dquot ¤@°_¨Ï¥Î¡C <p> ¤j¦h <em>Shadow Suites</em> ¥]¬A 16 ¦ì¤¸ªº±K½Xªø«×¨â­¿¤§­ì©l½X¡C ¦b <tt>des</tt> ±M ®a«ØijÁקK¨Ï¥Î·í¶}©l¹ï¸û±`±K½X¥ý²³æªº½s½X¥ª¥bµM«á¥k¥b¡C¥Ñ©ó <tt>crypt</tt> ¹B§@¤èªk ¡A³o±N³y¦¨ <em>¸û®tªº</em> ¦w¥þ½s½X±K½X¡C°£¦¹¤§¥~¡A¨Ï¥ÎªÌ¦³¥i¯à°O¦í 16 ¦ì¤¸±K½X¬O ¤@¥ó¤ñ¸û®tªº¨Æ±¡¡C <p> ¥Ø«e¦³¤¹³\Åv­­²z½×¥Î¥H¨ú¥N¬Y¨Ç§ó¦w¥þ©M¤ä´©¸ûªø±K½X(¨Ò¦p MD5 ºtºâªk)¥B«O¦³©M <tt>crypt</tt> ¤èªk¬Û®eªºµo®i¤u§@¥¿¦b¶i¦æ¡C <p> ¦pªG§A¥¿¦b´M§ä¤@¥»¥[±Kªº¦n®Ñ¡A«Øij¦p¤U¡G <verb> "Applied Cryptography: Protocols, Algorithms, and Source Code in C" by Bruce Schneier <schneier@chinet.com> ISBN: 0-471-59756-2 </verb> <sect><heading>¨ú±o Shadow Suite. <sect1><heading>Shadow Suite for Linux ªº¾ú¥v(¼È¤£Â½Ä¶) <sect1><heading>History of the Shadow Suite for Linux <p> <em>DO NOT USE THE PACKAGES IN THIS SECTION, THEY HAVE SECURITY PROBLEMS</em> <p> The original <em>Shadow Suite</em> was written by <tt>John F. Haugh II</tt>. <p> There are several versions that have been used on Linux systems: <itemize> <item><tt>shadow-3.3.1</tt> is the original. <item><tt>shadow-3.3.1-2</tt> is Linux specific patch made by <htmlurl url="mailto:flla@stud.uni-sb.de" name="Florian La Roche <flla@stud.uni-sb.de>"> and contains some further enhancements. <item><tt>shadow-mk</tt> was specifically packaged for Linux. </itemize> <p> The <tt>shadow-mk</tt> package contains the <tt>shadow-3.3.1</tt> package distributed by <tt>John F. Haugh II</tt> with the <tt>shadow-3.3.1-2 patch</tt> installed, a few fixes made by <htmlurl url="mailto:magnus@texas.net" name="Mohan Kokal <magnus@texas.net>"> that make installation a lot easier, a patch by <tt>Joseph R.M. Zbiciak</tt> for <tt>login1.c</tt> (login.secure) that eliminates the -f, -h security holes in /bin/login, and some other miscellaneous patches. <p> The <tt>shadow.mk</tt> package was the <em>previously</em> recommended package, but should be replaced due to a <em>security problem</em> with the <tt>login</tt> program. <p> There are <em>security problems</em> with Shadow versions 3.3.1, 3.3.1-2, and shadow-mk involving the <tt>login</tt> program. This <tt>login</tt> bug involves not checking the length of a login name. This causes the buffer to overflow causing crashes or worse. It has been rumored that this buffer overflow can allow someone with an account on the system to use this bug and the shared libraries to gain <em>root</em> access. I won't discuss exactly how this is possible because there are a lot of Linux systems that are affected, but systems with these <em>Shadow Suites</em> installed, and most pre-ELF distributions <em>without</em> the <em>Shadow Suite</em> are vulnerable! <p> For more information on this and other Linux security issues, see the <url url="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-telnetd.html" name="Linux Security home page (Shared Libraries and login Program Vulnerability)"> <sect1><heading>¦p¦ó¨ú±o Shadow Suite¡H <p> ¥Ø«e«Øij <em>Shadow Suite</em> ª©¥»¥Ø«eÁÙ¬O BETA ´ú¸Õª©¡AµM«á¡A³Ìªñª©¥»¦b¥Í²£Àô¹Ò ¬O¦w¥þªº¥B¨S¦³¥]§t©ö¨ü§ðÀ»ªº <tt>ñ¤J(login)</tt> µ{¦¡¡C <p> ¸Ó®M¥ó(package)¨Ï¥ÎºD¨Ò©R¦W¬°¡G <tscreen><verb>shadow-YYMMDD.tar.gz</verb></tscreen> ¨ä¤¤ <tt>YYMMDD</tt> ¬OSuite ªºµo¦æ¤é´Á¡C <p> ¥Ø«e BETA ´ú¸Õª©¥»¬O <em>Version 3.3.3</em> ¡A¥B¥Ñ<htmlurl url="mailto:marekm@i17linuxb.ists.pwr.wroc.pl" name="Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>"> ºûÅ@¡C ÁÙ¥i¥H±q¸Ó³B±o¨ì¡G <url url="ftp://i17linuxb.ists.pwr.wroc.pl/pub/linux/shadow/shadow-current.tar.gz" name="shadow-current.tar.gz">. <p> ¤U¦Cºô¯¸¤]¥i¥H§ä¨ì¬ÛÃö¸ê°T¡G <itemize> <item><htmlurl url="ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz" name="ftp://ftp.icm.edu.pl/pub/Linux/shadow/shadow-current.tar.gz"> <item><htmlurl url="ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz" name="ftp://iguana.hut.fi/pub/linux/shadow/shadow-current.tar.gz"> <item><htmlurl url="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz" name="ftp://ftp.cin.net/usr/ggallag/shadow/shadow-current.tar.gz"> <item><htmlurl url="ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz" name="ftp://ftp.netural.com/pub/linux/shadow/shadow-current.tar.gz"> </itemize> <p> §AÀ³¸Ó¥i¥HÀò±o¥Ø«e³Ì·sªºª©¥»¡C <p> §AÀ³¸Ó¤£­n¬O¥Î¤ñ <tt>shadow-960129</tt> <em>§óÂÂ</em>ª©¥»¡A¦]¬°¥¦­Ì¦³ <tt>ñ¤J</tt> ªº¦w¥þ°ÝÃD¡C <p> <p> ©ó°Ñ¦Ò¸ê®Æ¤è­±¡A§Ú¥Î <tt>shadow-960129</tt> Àɶi¦æ¦w¸Ë¤¶²Ð¡C <p> ¦pªG§A¤§«e¨Ï¥Î <tt>shadow-mk</tt> ¡A§AÀ³¸Ó§ó«H³o­Óª©¥»¥B­««Ø½sĶ¡C <sect1><heading>Shadow Suite¥]§t¤°»ò¡H <p> <em>Shadow Suite</em> ¥]¬A¹ï¤U¦C¥\¯à¤§´À¥Nµ{¦¡¡G <p> <tt>su, login, passwd, newgrp, chfn, chsh, and id</tt> <p> ¸Ó®M¥óÁÙ¥]¬A·sµ{¦¡¡G <p> <tt>chage, newusers, dpasswd, gpasswd, useradd, userdel, usermod, groupadd, groupdel, groupmod, groups, pwck, grpck, lastlog, pwconv, and pwunconv</tt> <p> °£¦¹¤§¥~¡A¨ç¦¡®w¡G <tt>libshadow.a</tt> ¤]¥]¬A»Ý­n¦s¨ú¨Ï¥ÎªÌ±K½X¤§¼g©M½sĶµ{¦¡¡C <p> µ{¦¡¤§¾Þ§@¤â¥U¤]¥]§t¦b¨ä¤¤¡C <p> ¤]¦³¹ïñ¤Jµ{¦¡ªº configuration file ¡A¥¦±N³Q¦w¸Ë¦b <tt>/etc/login.defs</tt> ÀÉ¡C <sect><heading>½sĶµ{¦¡ <sect1><heading>¸ÑÀ£ÁY <p> ¦b±µ¦¬®M¥ó«á²Ä¤@­Ó¨BÆJ´N¬O unpacking¡C¸Ó®M¥ó¬O tar Àɮ׮榡¨Ï¥Î gzip À£ÁY ¡A©Ò¥H­º¥ý±N¸ÓÀɮײ¾¨ì <tt>/usr/src</tt> ¡AµM«á¿é¤J¡G <tscreen><verb>tar -xzvf shadow-current.tar.gz</verb></tscreen> <p> ³o±N·| unpack ¨ì¤@­Ó¥Ø¿ý¡G<tt>/usr/src/shadow-YYMMDD</tt> <sect1><heading>³]©w config.h ÀÉ <p> ²Ä¤@¥ó¨Æ¬O§A»Ý­n½Æ»s <tt>Makefile</tt> ©M <tt>config.h</tt> ÀÉ¡G <tscreen><verb>cd /usr/src/shadow-YYMMDD cp Makefile.linux Makefile cp config.h.linux config.h</verb></tscreen> <p> µM«á§AÀ³¸Ó¯d·N <tt>config.h</tt> ÀÉ¡C ¸ÓÀÉ®×¥]¬A¬Y¨Ç³]©w¿ï¶µªº©w¸q¡C¦pªG§A¨Ï¥Î <em>«Øij</em> ®M¥ó¡A§Ú«Øij§A¦b²Ä¤@¦¸³]©wÃö±¼ group shadow support¡C <p> shadowed group passwords ¹w³]­È¬O¶}±Òªº¡C ¦b <tt>config.h</tt> ÀÉÃö¨ì³o­Ó³]©w¡A ¥B§ïÅÜ <tt>#define SHADOWGRP</tt> Åܦ¨ <tt>#undef SHADOWGRP</tt>¡C§Ú«Øij±z¤@¶}©l Ãö±¼¥¦­Ì¡AµM«á¦pªG§A¯uªº»Ý­n group passwords ©M group administrators ®É§A¦b ¶}±Ò¥¦­Ì©M­«·s½sĶ¡C ¦pªG§A¶}±Ò¥¦¡A §A <em>¥²¶·</em> «Ø¥ß <tt>/etc/gshadow</tt> ÀÉ¡C <p> ¶}±Òªø±K½Xªº¿ï¶µ¤]¤£«Øij¨Ï¥Î¡C <p> <em>¤£­n</em> §ïÅÜ <tt>#undef AUTOSHADOW</tt> ªº³]©w¡C <p> <tt>AUTOSHADOW</tt> ¿ï¶µªì©l³]­p¬O¥Î¥HÅý shadow ¥i¥H¹³ function ¤@¼Ë°õ¦æ¡C²z½×¤W Å¥°_¨Ó¤£¿ù¡A¦ý¬O¨S¿ìªk¥¿½Tªº¹B§@¡C ¦pªG§A¶}±Ò³o­Ó¿ï¶µ¡A¥B³o­Óµ{¦¡¥H root Åv­­¦b°õ ¦æ¡A ¥¦·|¹³ root Åv­­°õ¦æ¤@¶µ©I¥s <tt>getpwnam()</tt> ¡AµM«áÅܧó <tt>/etc/passwd</tt> ÀÉ (¦³<em>no-longer-shadowed ±K½X</em>)¡C ³oÃþµ{¦¡¥]¬A chfn ©M chsh¡C(¦pªG root ¦b©I¥s <tt>getpwnam()</tt> ¤§«e¨Ï¥Î chfn ©M chsh¡A¨Ï¥ÎªÌ±b¸¹±N ¨S¦³¿ìªk¯u¹ê¥B¦³®Ä¥æ©ö¡C) <p> ¦pªG§A­n«Ø¥ß libc¡A¦P¼ËªºÄµ§i¤]¦³®Ä¡A¥¦¦³­Ó <tt>SHADOW_COMPAT</tt> §@¬Û¦Pªº¨Æ¡C ¥¦ <em>¤£À³¸Ó</em>³Q¨Ï¥Î¡I¦pªG§A¶}©l±q§Aªº <tt>/etc/passwd</tt> ÀÉÂ^¨ú½s½X±K½X¡A ³o·|¬O­Ó°ÝÃD¡C <p> ¦pªG§A¥¿¨Ï¥Î¤ñ 4.6.27 ÁÙ°ªªº <tt>libc</tt> ª©¥»¡A§A±N»Ý­n¦b <tt>config.h</tt> ©M <tt>Makefile</tt>¨â­ÓÀÉ°µ«Ü¦h§ïÅÜ¡C ¦b <tt>config.h</tt> Àɪº½s¿è©M§ïÅÜ¡G ±q¡G <tscreen><verb>#define HAVE_BASENAME</verb></tscreen> ¨ì¡G <tscreen><verb>#undef HAVE_BASENAME</verb></tscreen> µM«á¦b <tt>Makefile</tt> Àɪº§ïÅÜ¡G <tscreen><verb>SOBJS = smain.o env.o entry.o susetup.o shell.o \ sub.o mail.o motd.o sulog.o age.o tz.o hushed.o SSRCS = smain.c env.c entry.c setup.c shell.c \ pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \ tz.c hushed.c </verb></tscreen> <tscreen><verb>SOBJS = smain.o env.o entry.o susetup.o shell.o \ sub.o mail.o motd.o sulog.o age.o tz.o hushed.o basename.o SSRCS = smain.c env.c entry.c setup.c shell.c \ pwent.c sub.c mail.c motd.c sulog.c shadow.c age.c pwpack.c rad64.c \ tz.c hushed.c basename.c </verb></tscreen> ³o¨Ç¥]§t¦b <tt>basename.c</tt> µ{¦¡½Xªº§ïÅܧ¡»Ý­¿¥]¬A¦b <tt>libc 4.6.27</tt> ¤º¡C <sect1><heading>³Æ¥÷­ì©lµ{¦¡ <p> ¦b shadow suite ­n§ó·s®É¡A»s§@µ{¦¡³Æ¥÷±N¬O¤@­Ó«Ü¦nªºÂI¤l¡C¦b Slackware 3.0 ¨t²Î¤¤¡A ³o¨ÇÀɮ׬O¡G <itemize> <item>/bin/su <item>/bin/login <item>/usr/bin/passwd <item>/usr/bin/newgrp <item>/usr/bin/chfn <item>/usr/bin/chsh <item>/usr/bin/id </itemize> <p> ³o BETA ®M¥ó¤w¸g¦³­Ó <em>Àx¦s</em> ¦b Makefile ªº¥ØªºÀÉ¡A¦ý¬O ¦]¬°¤£¦Pªºª©¥»³q±`±Nµ{¦¡©ñ¦b¤£¦Pªº¦a¤è¡A¦]¦¹±`³Q¤Hµû½×¡C <p> §AÀ³¸Ó³Æ¥÷§Aªº <tt>/etc/passwd</tt> ÀÉ¡A¦ý¬O§A­n«Ü¤p¤ß¦a©R¦W¡A¤£µM¦p§Ú§A±N¥¦©ñ¦b ¬Û¦P¥Ø¿ý¡A§A±NµLªk­«¼g <tt>passwd</tt> ©R¥O¡C <sect1><heading>°õ¦æ make <p> <em>§A»Ý­n¥H root Åv­­Ã±¤J¥H°õ¦æ¦w¸Ëµ{§Ç</em>. <p> °õ¦æ make ¨Ó½sĶ®M¥ó¤¤ªº°õ¦æÀÉ¡G <tscreen><verb>make all</verb></tscreen> <p> §A¥i¯à·|¬Ý¨ìĵ§i»y¡G <tt>rcsid defined but not used</tt>. ³o¨SÃö«Y¡A ¦]¬°§@ªÌ¨Ï¥Îª©¥»±±¨î®M¥ó¤~·|µo¥Í¡C <sect><heading>¦w¸Ë <sect1><heading>¤âÃä·Ç³Æ¤@­Ó¶}¾÷¤ù <p> ¦pªG¯uªºµo¥ÍÄY­«¿ù»~¡A¦³­Ó¶}¾÷ºÏ¤ù¤§¦³¥Îªº¡C¦pªG§A­n boot/root ¦X¨Öªº¦w¸Ë¡A§A¥i¥H °Ñ¦Ò<url url="http://sunsite.unc.edu/mdw/HOWTO/Bootdisk-HOWTO.html" name="Bootdisk-HOWTO"> ¥H»s§@ root ¶}¾÷¤§¶}¾÷¤ù¡C <sect1><heading>²¾°£½Æ»sªº man pages <p> §A¤]À³¸Ó±N¾Þ§@¤â¥U§ó·s¡A§Y¨Ï§A«Ü¼F®`¨ì¨¬¥H¤£¥Î³Æ¥÷¦w¸Ë Shadow Suite¡A§A¤´µM­n±N ±Nªº¾Þ§@¤â¥U²¾°£¡A¦]¬°·sª©ªº¾Þ§@¤â¥UµLªk¥¿±`ªºÂл\ª©¥»¡C <p> §A¥i¥H¨Ï¥Î¤@­Ó²Õ¦X¡G <tt>man -aW ©R¥O</tt> ©M <tt>locate ©R¥O</tt> ´M§ä»Ý³Æ²¾°£ ªº¾Þ§@¤â¥U¡C¦b§A°õ¦æ <tt>make install</tt> «e§ä¥X¸ûª©¥»¤ñ¸û®e©ö¡C <p> ¦pªG§A¨Ï¥Î Slackware 3.0 ª©¥»¡AµM«á§A­n²¾°£ªº¾Þ§@¤â¥U¬O¡G <itemize> <item>/usr/man/man1/chfn.1.gz <item>/usr/man/man1/chsh.1.gz <item>/usr/man/man1/id.1.gz <item>/usr/man/man1/login.1.gz <item>/usr/man/man1/passwd.1.gz <item>/usr/man/man1/su.1.gz <item>/usr/man/man5/passwd.5.gz </itemize> <p> ¦b <tt>/var/man/cat[1-9]</tt> ¦¸¥Ø¿ý¤]¦³¬Û¦Pªº¦W¦r»Ý­n³Q§R°£¡C <sect1><heading>°õ¦æ make install <p> ²{¦b§A¤w¸g·Ç³Æ­n¿é¤J¡G (¥H root Åv­­°õ¦æ) <tscreen<verb>make install</verb></tscreen> <p> ³o±N¦w¸Ë³Ì·s©M§ó·sµ{¦¡¥B­×´_Àɮ׳\¥iÅv¡C¥¦¤]·|¦w¸Ë¾Þ§@¤â¥U¡C <p> ³o¤]±N¦b¦w¸Ë®É¦Ò¼{±N Shadow Suite ¥]§tÀɮשñ¦b¥¿½Tªº¦ì¸m <tt>/usr/include/shadow</tt> ¡C <p> ¨Ï¥Î BETA ®M¥ó¡A§A»Ý­n¤â°Ê½Æ»s <tt>login.defs</tt> ³o­ÓÀɨì <tt>/etc</tt> ³o­Ó¥Ø¿ý¤U¡A ¦Ó¥B­n½T»{¥u¦³ <em>root</em> Åv­­¥i¥H§ïÅÜ¥¦¡C <tscreen><verb>cp login.defs /etc chmod 700 /etc/login.defs</verb></tscreen> <p> ³o­ÓÀɮ׬O <em>ñ¤J</em> µ{¦¡ªº configuration file¡C §AÀ³¸ÓÀˬd¸ò½T©w³o­ÓÀɪº§ïÅܪ¬ªp¡C ³o¬O§A¨M©w­þ­Ó tty ªº root ¥i¥H±q­þ¸Ìñ¤J©M³]©w¨ä¥L¦w¥þ¤è°wªº¦a¤è(¹³¹w³]±K½Xªº¨ì´Á¤é)¡C <sect1><heading>°õ¦æ pwconv <p> ±µ¤U¨Óªº¨BÆJ¬O°õ¦æ <tt>pwconv</tt>¡C ³o¤]»Ý¥H <em>root</em>°õ¦æ¥B³Ì¦n¦b <tt>/etc</tt> ¥Ø¿ý¤U°õ¦æ¡G <tscreen><verb>cd /etc /usr/sbin/pwconv</verb></tscreen> <p> <tt>pwconv</tt> Â^¨ú§Aªº <tt>/etc/passwd</tt> ÀÉ¥B§R°£¬Y¨ÇÄæ¦ì¬°¤F«Ø¥ß¨â­ÓÀɮסG <tt>/etc/npasswd</tt> ©M <tt>/etc/nshadow</tt>. <p> ¤@­Ó <tt>pwunconv</tt> ¤]´£¨Ñ§A«Ø¥ß¤@­Ó <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> ²Õ¦Xªº¥¿±` <tt>/etc/passwd</tt> ÀɮסC <sect1><heading>­«·s©R¦W npasswd ©M nshadow <p> ²{¦b§A¤w¸g°õ¦æ <tt>pwconv</tt> ¡A¦Ó¥B§A¤w¸g«Ø¥ß <tt>/etc/npasswd</tt> ©M <tt>/etc/nshadow</tt> ÀɮסC³o»Ý­n½Æ»s¨ì <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> ÀÉ¡C §Ú­Ì¤]»Ý­n½Æ»s­ì©l <tt>/etc/passwd</tt> ÀÉ¡A¦Ó¥B½T©w¥u¦³ root ¥i¥HŪ¥¦¡C §Ú­Ì±N¸ÓÀɮשñ¦b root ±o®Ú¥Ø¿ý¡G <tscreen><verb>cd /etc cp passwd ~passwd chmod 600 ~passwd mv npasswd passwd mv nshadow shadow</verb></tscreen> <p> §A¤]À³¸Ó½T©wÀɮתº¾Ö¦³ªÌ¸ò¦s¨úÅv­­¬O¥¿½Tªº¡C ¦pªG§A±N­n¨Ï¥Î <em>X-Windows</em> ¡A <tt>xlock</tt> ©M <tt>xdm</tt> ¥i¯à»Ý­nŪ¨ú <tt>shadow</tt> ÀÉ(¦ý»Ý¤£­n¼g¤J¸ÓÀÉ)¡C <p> ¦³¨â­Ó¤èªk¥i¥H°µ¡C §A¥i¥H³]©w <tt>xlock</tt> ªº suid ¬O root (<tt>xdm</tt> ³q±`¥H root Åv­­°õ¦æ)¡C ©ÎªÌ§A¥i¥H¨Ï root ¦¨¬° <tt>shadow</tt> ªº¸s²Õ¥i¥H¾Ö¦³ <tt>shadow</tt> ÀÉ ¡A¦ý¬O¦b§@³o¤§«e¡A­n½T©w§A¤w¸g¦³­Ó shadow group (¥i¥H¦b <tt>/etc/group</tt> Àɬݨì)¡C ¤£À³§ï¦³¥ô¦ó¨Ï¥ÎªÌ¯uªº¦b shadow group ¡C <tscreen><verb>chown root.root passwd chown root.shadow shadow chmod 0644 passwd chmod 0640 shadow</verb></tscreen> <p> §Aªº¨t²Î²{¦b¦³ shadow ªº±K½XÀÉÅo¡C §A²{¦b <em>À³¸Ó</em> ­«¶}¤@­Ó²×ºÝ¾÷µøµ¡©M½T»{§A ¥i¥Hñ¤J(login)¡C <p> <em>½Ð°¨¤W½T¹êªº§@³o¥ó¨Æ¡I</em> <p> ¦p¹L§A¤£¯à¡A¥i¯à¬Y¨Ç¨Æ±¡¦³¿ù»~Åo¡I ¬°¤F­n¦^¨ì to a non-shadowed ª¬ºA¡A½Ð§@¤U¦C¨BÆJ¡G <tscreen><verb>cd /etc cp ~passwd passwd chmod 644 passwd</verb></tscreen> <p> §A±N­«·sÀx¦s³o¨ÇÀɮרì¥ý«e§AÀx¦s¥¦­Ìªº¥¿½T¦ì¸m¡C <sect><heading>¨ä¥L§A»Ý­n¤É¯Å(upgrade)©Î¸É±j(patch)µ{¦¡ <p> §Y¨Ï shadow suite ¹ï¤j³¡¤À»Ý­n¦s¨ú±K½XÀɪºµ{¦¡¥i¥H¥]§t§ó·sµ{¦¡¡A¦ý¬O¤´¦³¤@¨Ç»Ý­n ¦s¨ú±K½XÀɪºÃB¥~µ{¦¡¦b¨t²Î¤¤¡C <p> ¦pªG§A¥¿°õ¦æ <em>Debian ª©¥»</em> (©ÎªÌ§Y¨Ï§A¤£¬O)¡A§A¥i¥H§ä¨ì Debian »Ý­n rebuild ªº­ì©l½X¡G ftp://ftp.debian.org/debian/stable/source/ <p> ³o¸`³Ñ¾lªº³¡¤À¦b°Q½×§ó·s <tt>adduser</tt>, <tt>wu_ftpd</tt>, <tt>ftpd</tt>, <tt>pop3d</tt>, <tt>xlock</tt>,<tt>xdm</tt> ©M <tt>sudo</tt> µ{¦¡¥H«K©óÅý³o¨Çµ{¦¡¤ä´© shadow suite¡C <p> ½Ð¬Ý <ref id="sec-adding" name="Adding Shadow Support to a C program"> ³o¸`¡A¥D­n¬O¦b °Q½×¦p¦ó±N shadow ¤ä´©©ñ¨ì¨ä¥L»Ý­nµ{¦¡(ÁöµM³o¨Çµ{¦¡»Ý­n¥H SUID root °õ¦æ©Î SGID shadow »Ý¥¿½T¦s¨ú shadow ÀÉ)¡C <sect1><heading>Slackware adduser µ{¦¡ <p> Slackware ª©¥»¥]§t¤@­Ó·s¼W¨Ï¥ÎªÌªº¥æ¤¬µ{¦¡¥s°µ <tt>/sbin/adduser</tt>¡C¸Óµ{¦¡ªº shadow ª©¥»¥i¥H¦b <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/system/ Admin/accounts/adduser.shadow-1.4.tgz" name="ftp://sunsite.unc.edu/pub/Linux/system/ Admin/accounts/adduser.shadow-1.4.tar.gz">§ä¨ì¡C <p> §Ú«Ü¹ªÀy§A¨Ï¥Î <em>Shadow Suite</em> ¨ÑÀ³ªºµ{¦¡(¨Ò¦p<tt>useradd</tt>, <tt>usermod</tt>, ©M <tt>userdel</tt>) ¨Ó¨ú¥N slackware ªº<tt>adduser</tt> µ{¦¡¡C ¥¦­Ì¥u»Ýªá¤@ÂI®É¶¡¾Ç²ß ¡A¦ý¬O¥¦±N­È±oªº¡A¦]¬°§A¥i¥H¬Ý¨ì§ó¦h±±¨î©M¦b¥¿½T®i²{Âê¦í <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> ªºÀÉ®×(<tt>adduser</tt> ´N¨S¦³¿ìªkÅo)¡C <p> °Ñ¦Ò<ref id="sec-work" name="Putting the Shadow Suite to use"> ¸Ó¸`±o¨ì§ó¦h¬ÛÃö¸ê°T¡C <p> ¦ý¬O¦pªG§A¤w¸g¾Ö¦³Åo¡A±µ¤U¨Ó¬O§A­n°µªº³¡¤À¡G <tscreen><verb>tar -xzvf adduser.shadow-1.4.tar.gz cd adduser make clean make adduser chmod 700 adduser cp adduser /sbin</verb></tscreen> <sect1><heading>wu_ftpd Server <p> ¤j³¡¤Àªº Linux ¨t²Î³£¦³ <tt>wu_ftpd</tt> server¡C ¦pªG§Aªºª©¥»¨S¦³ªþ±a shadow ¦w¸Ë¡A ¨º»ò§Aªº <tt>wu_ftpd</tt> ´N¨S¦³¿ìªk¹ï shadow ½sĶ¡C <tt>wu_ftpd</tt> ¬O±q <tt>inetd/tcpd</tt> ¶}©l¥B¥H <em>root</em> Åv­­°õ¦æªºµ{¦¡¡C ¦pªG§A¥¿¦b¶]¤@­Óª©ªº <tt>wu_ftpd</tt> daemon¡A µL½×¦p¦ó§A±N­n§ó·s¥¦¦]¬°¸ûª©¥»¦³ bug ±N¦M¤Î <em>root</em> Åv­­¡C(°Ñ¦Ò <url url="http://bach.cis.temple.edu/linux/linux-security/Linux-Security-FAQ/Linux-wu.ftpd-2.4-Update.html" name="Linux security home page"> ±o¨ì§ó¦h¬ÛÃö¸ê°T)¡C <p> ©¯¹Bªº¬O§A¥u»Ý­n¨úªº¦³´O¤J shaow ªº­ì©l½X©M­«·s½sĶ´N¥i¥HÅo¡I <p> ¦pªG§A¤£¬O¥¿¦b°õ¦æ ELF ¨t²Î¡A <tt>wu_ftp</tt> server ¥i¥H±q Sunsite ºô§} <url url="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/wu-ftpd-2.4-fixed.tar.gz" name="wu-ftp-2.4-fixed.tar.gz"> §ä¨ì¡C <p> ·í§AÀò±o³o­Ó server¡A§â¥¦©ñ¦b <tt>/usr/src</tt>¥Ø¿ý¡AµM«á¿é¤J¡G <tscreen><verb>cd /usr/src tar -xzvf wu-ftpd-2.4-fixed.tar.gz cd wu-ftpd-2.4-fixed cp ./src/config/config.lnx.shadow ./src/config/config.lnx</verb></tscreen> <p> µM«á½s¿è <tt>./src/makefiles/Makefile.lnx</tt>¡A©M§ïÅÜ <tscreen><verb>LIBES = -lbsd -support</verb></tscreen> ³o¤@¦æ¨ì¡G <tscreen><verb>LIBES = -lbsd -support -lshadow</verb></tscreen> <p> ²{¦b§A¤w¸g·Ç³Æ¦n°õ¦æ script «Ø¥ß¸ò¦w¸Ë¡G <tscreen><verb>cd /usr/src/wu-ftpd-2.4-fixed /usr/src/wu-ftp-2.4.fixed/build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd</verb></tscreen> <p> ³o¬O¥Î¦b Linux shadow configuration file¡B½sĶ©M¦w¸Ë server¡C <p> ¦b§Úªº Slackware 2.3 ¨t²Î¡A§Ú¤]»Ý­n¦b°õ¦æ«e§@¤U¦C¨BÆJ¡G <tt>build</tt>: <tscreen><verb>cd /usr/include/netinet ln -s in_systm.h in_system.h cd -</verb></tscreen> <p> ¦b ELF ¨t²Î¤U·|¦³½sĶ°ÝÃDªº³ø§i¡A¦ý¬O¤U¤@ª©ªº Beta ª©«h¥i¥H¥¿½Tªº°õ¦æ¡C ¥i¥H±q <url url="ftp://tscnet.com/pub/linux/network/ftp/wu-ftpd-2.4.2-beta-10.tar.gz" name="wu-ftp-2.4.2-beta-10.tar.gz"> §ä¨ì¡C <p> ·í§AÀò±o³o­Ó server¡A§â¥¦©ñ¦b <tt>/usr/src</tt>¥Ø¿ý¡AµM«á¿é¤J¡G <tscreen><verb>cd /usr/src tar -xzvf wu-ftpd-2.4.2-beta-9.tar.gz cd wu-ftpd-beta-9 cd ./src/config</verb></tscreen> <p>µM«á½s¿è <tt>config.lnx</tt>¡A©M§ïÅÜ¡G <tscreen><verb>#undef SHADOW.PASSWORD</verb></tscreen> ³o¤@¦æ¨ì¡G <tscreen><verb>#define SHADOW.PASSWORD</verb></tscreen> µM«á¡A <tscreen><verb>cd ../Makefiles</verb></tscreen> ¥B½s¿è <tt>Makefile.lnx</tt> ÀÉ©M§ïÅÜ <tscreen><verb>LIBES = -lsupport -lbsd # -lshadow</verb></tscreen> ³o¤@¦æ¨ì¡G <tscreen><verb>LIBES = -lsupport -lbsd -lshadow</verb></tscreen> µM«á«Ø¥ß(build)©M¦w¸Ë(install)¡G <tscreen><verb>cd .. build lnx cp /usr/sbin/wu.ftpd /usr/sbin/wu.ftpd.old cp ./bin/ftpd /usr/sbin/wu.ftpd</verb></tscreen> <p> µù¡G§AÀ³¸ÓÀˬd§Aªº <tt>/etc/inetd.conf</tt> ÀɨӽT»{§Aªº wu.ftpd server ¬O¤£¬O¯uªº¬¡µÛ¡C ¦³¨Çª©¥»¥i¯à±N server daemons ©ñ¦b¤£¦Pªº¦a¤è©Î¥Î¤£¦Pªº¦W¦rªí¥Ü¡C <sect1><heading>¼Ð·Ç ftpd <p> ¦pªG§A¥¿¦b°õ¦æ¼Ð·Çªº <tt>ftpd</tt> server¡A§Ú±N«Øij§A§ó·s <tt>wu_ftpd</tt> server¡C Â÷¶}¤W­zªº bug ¡A¨t²Î·|¤ñ¸û¦w¥þ¡C <p> ¦pªG§A°í«ù¦b¼Ð·Ç¼Ò¦¡¡A©ÎªÌ§A»Ý­n <em>NIS</em> ¤ä´©¡A¦b Sunsite <url url="ftp://sunsite.unc.edu/pub/Linux/system/Network/file-transfer/ftpd-shadow-nis.tgz" name="ftpd-shadow-nis.tgz"> ¦³°Ñ¦Ò¸ê®Æ¡C <sect1><heading>pop3d (Post Office Protocol 3) <p> ¦pªG§A»Ý­n¤ä´©²Ä¤Tª© <em>Post Office Protocol (POP3)</em>¡A§A±N»Ý­n­«·s½sĶ <tt>pop3d</tt> µ{¦¡¡C <tt>pop3d</tt> ¥i¥H³z¹L <tt>inetd/tcpd</tt> ¥H <tt>root</tt> Åv­­¥¿±`ªº°õ¦æ¡C <p> ±q Sunsite ¦³¨â­Óª©¥»¥i¥HÀò±o¡G <url url="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d-1.00.4.linux.shadow.tar.gz" name="pop3d-1.00.4.linux.shadow.tar.gz"> ©M <url url="ftp://sunsite.unc.edu/pub/Linux/system/Mail/pop/pop3d+shadow+elf.tar.gz" name="pop3d+shadow+elf.tar.gz"> <p> ³o¨â­Ó³£«Ü²³æ¥i¥H¦w¸Ë¡C <sect1><heading>xlock <p> ¦pªG§A¦w¸Ë shadow suite¡AµM«á°õ¦æ <em>X Windows System</em> ©M lock ¿Ã¹õ¨S¥H§ó·s§Aªº <tt>xlock</tt> ÀÉ¡A §A±N¥²¶·¨Ï¥Î <tt>CNTL-ALT-Fx</tt> ¥h¤Á´« ¥t¤@­Ó <em>tty</em>¡Añ¤J(login)©M±þ±¼(kill) <tt>xlock</tt> process (©Î¨Ï¥Î <tt>CNTL-ALT-BS</tt> ±þ±¼ X server)¡C «Ü©¯¹Bªº³o¤]«Ü®e©ö¥i¥H§ó·s§Aªº <tt>xlock</tt> µ{¦¡¡C <p> ¦pªG§A¥¿°õ¦æ XFree86 Versions 3.x.x¡A¥B¥¿¥¿½T¨Ï¥Î <tt>xlockmore</tt> (¬O¤@­Ó«Ü´Îªº¿Ã¹õ«OÅ@µ{¦¡). ³o­Ó®M¥ó¤ä´© <em>shadow</em>¡A¥u­n­«·s½sĶ§Y¥i¡C¦pªG§A¦³¥ô¦ó¸û¦Ñªº <tt>xlock</tt> ª©¥»¡A§Ú«Øij§A§ó·s¤U¦Cª©¥»¡G <p> <tt>xlockmore-3.5.tgz</tt> ¥i¥H±q <url url="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/screensavers/xlockmore-3.7.tgz"> ºô¯¸Àò±o¡C <p> °ò¥»¤W³o¬O§A©Ò­nªº¡C <p> Â^¨ú <tt>xlockmore-3.7.tgz</tt> ¡A¨Ã±N¥¦©ñ¦b <tt>/usr/src</tt> ¥Ø¿ý¨Ã¸ÑÀ£ÁY¡G <tscreen><verb>tar -xzvf xlockmore-3.7.tgz</verb></tscreen> <p> ½s¿è³o­ÓÀÉ¡G <tt>/usr/X11R6/lib/X11/config/linux.cf</tt>, ©M§ïÅÜ <tscreen><verb>#define HasShadowPasswd NO ³o¤@¦æ¨ì¡G #define HasShadowPasswd YES</verb></tscreen> <p> µM«á«Ø¥ß¥i°õ¦æÀÉ¡G <tscreen><verb>cd /usr/src/xlockmore xmkmf make depend make</verb></tscreen> <p> µM«á·h²¾©Ò¥HÀɮר쥿½T¥Ø¿ý¥B§ó·sÀÉ®×¾Ö¦³ªÌ¤Î°õ¦æÅv­­¡G <tscreen><verb>cp xlock /usr/X11R6/bin/ cp XLock /var/X11R6/lib/app-defaults/ chown root.shadow /usr/X11R6/bin/xlock chmod 2755 /usr/X11R6/bin/xlock chown root.shadow /etc/shadow chmod 640 /etc/shadow</verb></tscreen> <p> §Aªº xlock ±N¥i¥H¥¿½Tªº¹B§@Åo¡I <sect1><heading>xdm <p> <tt>xdm</tt> ¬O¤@­Ó¥i¥Hªí¥Ü¦b X-Windows ñ¤Jµe­±ªºµ{¦¡¡C¬Y¨Ç¨t²Î¶}©l <tt>xdm</tt> ·í¨t²Î³Q§iª¾¹D¤@­Ó¯S©wªº°õ¦æ¤ô·Ç(°Ñ¦Ò <tt>/etc/inittab</tt>)¡C <P> ¦ñÀHµÛ <em>Shadow Suite</em> ¦w¸Ë¡A <tt>xdm</tt> »Ý­n³Q§ó·s¡C «Ü©¯¹Bªº³o¤]«Ü®e©ö¥i¥H§ó·s§Aªº <tt>xdm</tt> µ{¦¡¡C <p> <p> <tt>xdm.tar.gz</tt> ¥i¥H±q¤U¦Cºô§}Àò±o¡G <url url="ftp://sunsite.unc.edu/pub/Linux/X11/xutils/xdm.tar.gz"> <p> Â^¨ú <tt>xdm.tar.gz</tt> ÀɨñN¥¦©ñ¦b <tt>/usr/src</tt>¥Ø¿ýµM«á¸ÑÀ£ÁY¡G <tscreen><verb>tar -xzvf xdm.tar.gz</verb></tscreen> <p> ½s¿è³o­ÓÀÉ¡G <tt>/usr/X11R6/lib/X11/config/linux.cf</tt>¡A¥B§ïÅÜ <tscreen><verb>#define HasShadowPasswd NO ³o¤@¦æ¨ì¡G #define HasShadowPasswd YES</verb></tscreen> <p> µM«á«Ø¥ß¥i°õ¦æÀÉ¡G <tscreen><verb>cd /usr/src/xdm xmkmf make depend make</verb></tscreen> <p> µM«á·h²¾©Ò¦³ÀÉ®×¥¿½T¥Ø¿ý¡G <tscreen><verb>cp xdm /usr/X11R6/bin/</verb></tscreen> <p> <tt>xdm</tt> ¥H <em>root</em> Åv­­¦b°õ¦æ¡A©Ò¥H§A¤£»Ý­n§ïÅÜÀɮצs¨úÅv­­¡C <sect1><heading>sudo <p> <tt>sudo</tt> µ{¦¡¤¹³\¨t²ÎºÞ²z­ûÅý¨Ï¥ÎªÌ¥i¥H¥H root Åv­­¥¿±`ªº°õ¦æµ{¦¡¡C ³o¬O«D±`¤è«Kªº¦]¬°¥¦¥i¥H­­¨îºÞ²zªÌ°õ¦æ root ±b¸¹¥»¨­Åv­­¡AÁÙ¥i¥H¤¹³\¨Ï¥ÎªÌ§@ ¹³ mounte drives ªº¨Æ±¡¡C <p> <tt>sudo</tt> »Ý­nŪ¨ú±K½X¦]¬°¦b°õ¦æ®É»Ý½T»{¨Ï¥ÎªÌ±K½X¡C <tt>sudo</tt> ¤w¸g°õ¦æ SUID root¡A ©Ò¥H¦s¨ú <tt>/etc/shadow</tt> ÄÒ¤£¬O°ÝÃD¡C <p> <tt>sudo</tt> ¤ä´© shadow suite ¥i¦b¤U¦Cºô§}¨ú±o¡G <url url="ftp://sunsite.unc.edu/pub/Linux/system/Admin/sudo-1.2-shadow.tgz"> <p> <em>ĵ§i</em>¡G·í§A¦w¸Ë <tt>sudo</tt> §Aªº <tt>/etc/sudoers</tt> ÀɱN¨ú¥N¹w³]­È¡A©Ò¥H§A »Ý­n³Æ¥÷­ì©lµ{¦¡¡C¦pªG§A¦³®a¥ô¦ó³]©w¦b¹w³]µ{¦¡¡A§A¥i¯à­n½s¿è Makefile ¥B²¾°£½Æ»s¸ÓÀɨì <tt>/etc</tt> ªº³o¦æ¡C <p> ¸Ó®M¥ó¤w¸g¹ï shadow ¶i¦æ³]©w¡A©Ò¥H¥u­n­«·s½sĶ¸Ó®M¥ó§Y¥i (§â¥¦©ñ¦b <tt>/usr/src</tt> ¥Ø¿ý)¡G <tscreen><verb>cd /usr/src tar -xzvf sudo-1.2-shadow.tgz cd sudo-1.2-shadow make all make install</verb></tscreen> <sect1><heading>imapd (E-Mail [pine package]) <p> <tt>imapd</tt> ¬O¤@­Ó¹³ <tt>pop3d</tt> ªº email server¡C <tt>imapd</tt> ÀHµÛ <em>Pine E-mail</em> ®M¥óµo¥Í¡C ¨ä¾Þ§@¤â¥U¦b¤¶²Ð¸Ó®M¥ó®É§Y¥]§t shadow ¤ä´©¡CµM¦Ó¡A§Úµo²{³o¤£¥þµM¥¿½T¡C ¦A¥[¤W¦b½sĶ®É¥[¤W <tt>libshadow.a</tt> ¨ç¦¡®w ©M¸Ó®M¥óµ²¦X build script / Makefile ¬O«D±`¤£®e©öªº¡C©Ò¥H¹ï <tt>imapd</tt> ¥[¤J shadow ¤ä´©¬O¤£¤Ó¥i¯àªº¡C <p> ¦pªG¦³¥ô¦óµª®×¡A¥i¥H Email µ¹§Ú¡A§Ú·|±N¸Ó¸Ñµª©ñ¨ì³o¸Ì¡C <sect1><heading>pppd (Point-to-Point Protocol Server) <p> pppd server ¥i¥H¨Ï¥Î´XºØÅv­­³]©w¡G <em>Password Authentication Protocol</em> (PAP) ©M <em>Cryptographic Handshake Authentication Protocol</em> (CHAP)¡C pppd server ±q <tt>/etc/ppp/chap-secrets</tt> ©M/©Î <tt>/etc/ppp/pap-secrets</tt> ÀÉŪ¨ú±K½X¦r¦ê¡C ¦pªG§A¥¿¨Ï¥Î¹w³] pppd ªº°õ¦æ¡A´N¨S¦³¥²­n¦A­«·s¦w¸Ë pppd ¡C <p> pppd ¥H¤¹³\§A¨Ï¥Î <em>login</em> °Ñ¼Æ¡C ¦pªG <em>login</em> ¿ï¶µ³Q¿ï¨ú¡A pppd ±N¨Ï¥Î <tt>/etc/passwd</tt> Àɪº±b¸¹±K½Xµ¹ <em>PAP</em>. ·íµM¦b¤£¤[±K½XÀÉ·|¬O shadowedm¡Cpppd-1.2.1d Àɤw¸g¥[¤J¹ï shadow ªº¤ä´©¡C <p> ¤U¤@¸`¥[¤J¤ä´© shadow ªº½d¨Ò¬O°w¹ï <tt>pppd-1.2.1d</tt> (¤@­Ó¸û¦Ñª©¥»ªº pppd). <p> <tt>pppd-2.2.0</tt> ª©´N¤w¸g¥]¬A shadow ¤ä´©Åo¡C <sect><heading>±N Shadow Suite ©ñ¶i¨Ó¨Ï¥Î¡C<label id="sec-work"> <p> ³o¸`´y­z§A»Ý­nª¾¹D¦³¨Çµ{¦¡¦b¦w¸Ë®É´N¤w¸g¦³ <em>Shadow Suite</em>¡C ¤j³¡¤Àªº¸ê°T¦b¾Þ§@¤â¥U¥i¥H§ä¨ì¡C <sect1><heading>·s¼W¡B­×§ï©M§R°£¨Ï¥ÎªÌ <p> <em>Shadow Suite</em> ·s¼W¤U¦C«ü¥O¥Î¨Ó·s¼W¡B­×§ï©M§R°£¨Ï¥ÎªÌ¡C ³o¤]¬O¥i¥H¦w¸Ë <tt>adduser</tt> µ{¦¡¡C <sect2><heading>useradd <p> <tt>useradd</tt> ¨Ï¥O¥i¥Î¦b¨t²Î¤¤·s¼W¨Ï¥ÎªÌ¡C §A¤]¥i¥H±Ä¥Î¦¹«ü¥O¨Ó§ïÅܹw³]¦r¦ê¡C <p> §AÀ³¸Ó°µªº²Ä¤@¥ó¨Æ¬OÀˬd¹w³]­È³]©w©M°w¹ï§Aªº¨t²Î¶i¦æ§ïÅÜ¡G <tscreen><verb>useradd -D</verb></tscreen><code> GROUP=1 HOME=/home INACTIVE=0 EXPIRE=0 SHELL= SKEL=/etc/skel</code> <p> ¹w³]­È¤£¥þ¬O§A­nªº¡A©Ò¥H¦pªG§A¶}©l·s¼W¨Ï¥ÎªÌ¡A§A¥²¶·¸Ô¾\¨C­Ó¨Ï¥ÎªÌ¸ê°T¡C ¦Ó¥B¡A§Ú­Ì¥i¯à©MÀ³¸Ó§ïÅܳ]©w­È¡C <p> ¦b§Úªº¨t²Î¤W¡G <itemize> <item>§Ú­n¹w³]¸s²Õ¬O 100 <item>§Ú­n±K½X¨C¨ì 60 ¤Ñ´N¨ì´Á <item>§Ú¤£­nÂê¦í±b¸¹¦]¬°±K½X·|¨ì´Á <item>§Ú­n¹w³] shell ¬O <tt>/bin/bash</tt> </itemize> ¬°¤F³o¨Ç§ïÅÜ¡A§Ú­n¨Ï¥Î¡G <tscreen><verb>useradd -D -g100 -e60 -f0 -s/bin/bash</verb></tscreen> <p> ²{¦b°õ¦æ <tt>useradd -D</tt> ±N±o¨ì¡G <code> GROUP=100 HOME=/home INACTIVE=0 EXPIRE=60 SHELL=/bin/bash SKEL=/etc/skel </code> <p> ¾¨ºÞ¨Ì·Ó§A»Ý­n­×§ï¡A¹w³]­È±N¦s¦b <tt>/etc/default/useradd</tt>. <p> ¥ý¦b§A¥i¥H¨Ï¥Î <tt>useradd</tt> ¨Ó·s¼W¨t²Î¨Ï¥ÎªÌ¡CÁ|¨Ò»¡©ú¡A·s¼W¤@¨Ï¥ÎªÌ <tt>fred</tt> ¨Ï¥Î¹w³]­È¤è¦¡¦p¤U¡G <tscreen><verb>useradd -m -c "Fred Flintstone" fred</verb></tscreen> ³o±N¦b <tt>/etc/passwd</tt> Àɤ¤ªº¤@¦æ«Ø¥ß¦p¤U¡G <tscreen><verb>fred:*:505:100:Fred Flintstone:/home/fred:/bin/bash</verb></tscreen> ¥B¦b <tt>/etc/shadow</tt> Àɤ¤ªº¤@¦æ«Ø¥ß¦p¤U¡F <tscreen><verb>fred:!:0:0:60:0:0:0:0</verb></tscreen> <tt>fred</tt>ªº®Ú¥Ø¿ý±N³Q«Ø¥ß¥B <tt>/etc/skel</tt> ªº¤º®e±N³Q½Æ»s¦]¬°«ü¥O¥y¤¤¦³ <tt>-m</tt> ³]©w¡C <p> ¦]¬°§Ú­Ì¨Ã¥¼¸Ô­z UID¡A¨t²Î·|ª½±µ´M§ä¤U¤@­Ó¥iÀò±oªº½s¸¹¡C <p> <tt>fred</tt>ªº±b¸¹³Q«Ø¥ßÅo¡A¦ý¬O <tt>fred</tt> ¤´µM¤£¯àñ¤Jª½¨ì§Ú­Ì¤£¦AÂê¦í(unlock)³o­Ó±b¸¹¡C ³z¹L§ó§ï±K½X§¹¦¨ unlock ±b¸¹¡A¤èªk¦p¤U¡G <tscreen><verb>passwd fred</verb></tscreen> <code> Changing password for fredó Enter the new password (minimum of 5 characters) Please use a combination of upper and lower case letters and numbers. New Password: ******* Re-enter new password: ******* </code> ²{¦b <tt>/etc/shadow</tt> ÀɱN¥]§t¡G <tscreen><verb>fred:J0C.WDR1amIt6:9559:0:60:0:0:0:0</verb></tscreen> ¥B <tt>fred</tt> ±N¥i¥Hñ¤J©M¨Ï¥Î¸Ó¨t²Î¡C <tt>useradd</tt> ©M¨ä¥Lªþ±a <em>Shadow Suite</em> ¤ñ¸û¦nªº¦a¤è¬O¥i¥H¦Û°Ê§ïÅÜ <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> ¡C ©Ò¥H¦pªG§A¥¿¦b·s¼W¤@­Ó¨Ï¥ÎªÌ¡A ¥B¥t¤@­Ó¨Ï¥ÎªÌ¥¿¦b§ó§ï±K½X¡A³o¨â­Ó¾Þ§@³£¥i¥H¥¿½Tªº°õ¦æ¡C <p> §A¨Ï¥Î´£¨Ñªº«ü¥O¤ñª½±µ¦s¨ú <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> ÀÉÁÙ¦n¡C ¦pªG§A¥¿½s¿è <tt>/etc/shadow</tt> ÀÉ¡A¥B¦³­Ó¨Ï¥ÎªÌ¦b§A½s¿è®É­n§ïÅÜ¥Lªº±K½X¡A µM«á§AÀx¦s½s¿èµ²ªG¡A³o­Ó¨Ï¥ÎªÌªº±K½X±N·|¿ò¥¢±¼¡C <p> ³o¸Ì¬O¨Ï¥Î <tt>useradd</tt> ©M <tt>passwd</tt> ·s¼W¨Ï¥ÎªÌªº¤@¨Ç interactive script ¡G <code> #!/bin/bash # # /sbin/newuser - A script to add users to the system using the Shadow # Suite's useradd and passwd commands. # # Written my Mike Jackson <mhjack@tscnet.com> as an example for the Linux # Shadow Password Howto. Permission to use and modify is expressly granted. # # This could be modified to show the defaults and allow modification similar # to the Slackware Adduser program. It could also be modified to disallow # stupid entries. (i.e. better error checking). # ## # Defaults for the useradd command ## GROUP=100 # Default Group HOME=/home # Home directory location (/home/username) SKEL=/etc/skel # Skeleton Directory INACTIVE=0 # Days after password expires to disable account (0=never) EXPIRE=60 # Days that a passwords lasts SHELL=/bin/bash # Default Shell (full path) ## # Defaults for the passwd command ## PASSMIN=0 # Days between password changes PASSWARN=14 # Days before password expires that a warning is given ## # Ensure that root is running the script. ## WHOAMI=`/usr/bin/whoami` if [ $WHOAMI != "root" ]; then echo "You must be root to add news users!" exit 1 fi ## # Ask for username and fullname. ## echo "" echo -n "Username: " read USERNAME echo -n "Full name: " read FULLNAME # echo "Adding user: $USERNAME." # # Note that the "" around $FULLNAME is required because this field is # almost always going to contain at least on space, and without the "'s # the useradd command would think that you we moving on to the next # parameter when it reached the SPACE character. # /usr/sbin/useradd -c"$FULLNAME" -d$HOME/$USERNAME -e$EXPIRE \ -f$INACTIVE -g$GROUP -m -k$SKEL -s$SHELL $USERNAME ## # Set password defaults ## /bin/passwd -n $PASSMIN -w $PASSWARN $USERNAME >/dev/null 2>&1 ## # Let the passwd command actually ask for password (twice) ## /bin/passwd $USERNAME ## # Show what was done. ## echo "" echo "Entry from /etc/passwd:" echo -n " " grep "$USERNAME:" /etc/passwd echo "Entry from /etc/shadow:" echo -n " " grep "$USERNAME:" /etc/shadow echo "Summary output of the passwd command:" echo -n " " passwd -S $USERNAME echo "" </code> <p> ·s¼W¨Ï¥ÎªÌ¬O¥Î script ¤ñª½±µ½s¿è <tt>/etc/passwd</tt> / <tt>/etc/shadow</tt> ÀɩΨϥΠ¹³ Slackware ªº <tt>adduser</tt> µ{¦¡ÁÙ­n¦n¡C <p> »Ý­n§ó¦h <tt>useradd</tt> ¸ê°T½Ð°Ñ·Ó½u¤W¾Þ§@¤â¥U¡C <sect2><heading>usermod <p> <tt>usermod</tt> µ{¦¡¬O¥Î¦b­×§ï¨Ï¥ÎªÌ¸ê°T¡C ¥¦ªº°Ñ¼Æ¨Ï¥Î©M <tt>useradd</tt> µ{¦¡Ãþ¦ü¡C <p> ¦pªG§A­n§ó·s <tt>fred</tt> ªº shell¡A§A­n§@¤U¦C¨BÆJ¡G <tscreen><verb>usermod -s /bin/tcsh fred</verb></tscreen> ²{¦b <tt>fred</tt> ªº <tt>/etc/passwd</tt> ÀɱNÅܦ¨¡G <tscreen><verb>fred:*:505:100:Fred Flintstone:/home/fred:/bin/tcsh</verb></tscreen> ¦pªG­n¨Ï <tt>fred</tt> ªº±b¸¹¨ì´Á¤é¬° 09/15/97¡G <tscreen><verb>usermod -e 09/15/97 fred</verb></tscreen> ²{¦b <tt>fred</tt> ¦b <tt>/etc/shadow</tt> ªºÄæ¦ìÅܦ¨¡G <tscreen><verb>fred:J0C.WDR1amIt6:9559:0:60:0:0:10119:0</verb></tscreen> <p> »Ý­n§ó¦h <tt>usermod</tt> ¸ê°T½Ð°Ñ·Ó½u¤W¾Þ§@¤â¥U¡C <sect2><heading>userdel <p> <tt>userdel</tt> ¥Î¦b§R°£¨Ï¥ÎªÌ¡A¨Ï¥Î¤èªk¬°¡G <tscreen><verb>userdel -r username</verb></tscreen> <tt>-r</tt> °Ñ¼Æ¥i¥H±N¸Ó¨Ï¥ÎªÌ®Ú¥Ø¿ý¥þ³¡²¾°£¡C¦ì¦b´Á«Ý¥Ø¿ýªºÀɮ׫h»Ý¤â°Ê²¾°£¡C <p> ¦pªG§A¥u¬O­n²³æªºÂê¦í±b¸¹¦Ó¨S¦³­n§R°£¥¦¡A«Øij§A¨Ï¥Î <tt>passwd</tt> «ü¥O¡C <sect1><heading>passwd «ü¥O©M passwd ¦Ñ¤Æ <p> <tt>passwd</tt> «ü¥O«Ü©úÅã¨Ï¥Î¦b§ïÅܱK½X¡A°£¦¹¤§¥~¡A ¥i¥Ñ <em>root</em> ¨Ï¥Î¦b¡G <itemize> <item>Lock ©M unlock ±b¸¹ (<tt>-l</tt> and <tt>-u</tt>) <item>³]©w±K½X¦Xªkªº³Ì¤j¤Ñ¼Æ (<tt>-x</tt>) <item>³]©w±K½X§ïÅܶ¡ªº³Ì¤p¤Ñ¼Æ (<tt>-n</tt>) <item>³]©w±K½X¨ì´ÁªºÄµ§i¤Ñ¼Æ (<tt>-w</tt>) <item>³]©w¦b±b¸¹¥¼³QÂꦺ±K½X¨ì´Á«áªºÄµ§i¤Ñ¼Æ (<tt>-i</tt>) <item>¤¹³\¬d¸ß±b¸¹¸ê°T (<tt>-S</tt>) </itemize> <p> Á|¨Ò»¡©ú¡A¦pªG­nÂꦺ <tt>fred</tt> ±b¸¹¡G <tscreen><verb>passwd -S fred fred P 03/04/96 0 60 0 0</verb></tscreen> ³oªí¥Ü <tt>fred</tt> ªº±K½X¬O¦³®Äªº¡A¥¦¦b 03/04/96 ³Q­×§ï¥B¥ô¦ó®É¶¡³£¥i³Q­×§ï ¡A fred ±N¤£·|¦¬¨ìĵ§i¥B±b¸¹±N¤£·|¦]±K½X¨ì´Á¦ÓÃö³¬¡C <p> ³oªí¥Ü¦pªG <tt>fred</tt> ¦b±K½X¨ì´Á«áñ¤J¡A¥¦±N³Q­n¨D¥Î¤@­Ó·s±K½Xñ¤J¡C <p> ¦pªG§Ú­Ì¨M©w­nĵ§i <tt>fred</tt> ¦b±K½X¹L´Á«e 14 ¤Ñ¡A¥BÅý¥¦ªº±b¸¹¦b¨ì´Á«á14¤Ñĵ§i¡A §Ú­Ì»Ý­n§@¤U¦C¨BÆJ¡G <tscreen><verb>passwd -w14 -i14 fred</verb></tscreen> ²{¦b <tt>fred</tt> §ïÅܬ°¡G <tscreen><verb>fred P 03/04/96 0 60 14 14</verb></tscreen> »Ý­n§ó¦h <tt>passwd</tt> ¸ê°T½Ð°Ñ·Ó½u¤W¾Þ§@¤â¥U¡C <sect1><heading>login.defs ÀÉ <p> <tt>/etc/login</tt> ÀɬO¹ï <tt>login</tt> µ{¦¡ªº configuration file ¥B ¹ï <em>Shadow Suite</em>¡C <p> <tt>/etc/login</tt> ¥]§t±q¹w³]­È±K½X§ïÅܪºÅX°Ê³]©w¡C <p> <tt>/etc/login.defs</tt> ÀɬO¤@­Ó«Ü¦nªº¤å¥óÀÉ¡AµM¦Ó¤´¦³¨Ç¨Æ±¡­nª`·N¡G <itemize> <item>It contains flags that can be turned on or off that determine the amount of logging that takes place. <item>It contains pointers to other configuration files. <item>It contains defaults assignments for things like password aging. </itemize> <p> ¸ò¥h¤W­z§A¥i¥Hµo²{³o¬O¤@­Ó­«­nÀÉ¡A¥B§AÀ³¸Ó½T»{¥Ø«e³]©w¤Î§A±N¹ï§A¨t²Îªº³]©w¤º®e¡C <sect1><heading>¸s²Õ±K½X <p> <tt>/etc/groups</tt> ÀÉ¥]¬A¤¹³\¬O¥ÎªÌ¦s¨ú¸s²Õ¤§±K½X¡C ¦pªG§A©w¸q <tt>SHADOWGRP</tt> ¦b <tt>/usr/src/shadow-YYMMDD/config.h</tt> ÀɱN¶}±Ò¸Ó¥\¯à¡C <p> ¦pªG§A©w¸q¸Ó±`¼Æ¥B½sĶ¥¦¡A§A»Ý«Ø¥ß¤@­Ó <tt>/etc/gshadow</tt> ÀɨӫO¦s¸s²Õ±K½X ©M¸s²ÕºÞ²zªÌ¸ê°T¡C <p> ·í§A«Ø¥ß <tt>/etc/shadow</tt>¡C§A¨Ï¥Î¤@­Ó©I¥sµ{¦¡¥s°µ <tt>pwconv</tt>¡A ¸Óµ{¦¡¤£·|«Ø¥ß <tt>/etc/gshadow</tt> ÀÉ¡A¦ý¬O³o¨SÃö«Y¡A¥u­n§A¦Û¦æ«Ø¥ß§Y¥i¡C <p> ¬°¤F«Ø¥ß°_©l <tt>/etc/gshadow</tt> ÀÉ­n°õ¦æ¤U¦C¨BÆJ¡G <tscreen><verb>touch /etc/gshadow chown root.root /etc/gshadow chmod 700 /etc/gshadow</verb></tscreen> <p> ¨C¦¸§A«Ø¥ß¤@­Ó·s¸s²Õ¡A¥¦­Ì·|³Q¥[¨ì <tt>/etc/group</tt> ©M <tt>/etc/gshadow</tt> ÀÉ¡C ¦pªG§A³z¹L·s¼W©Î²¾°£¨Ï¥ÎªÌ¨Ó­×§ï¸s²Õ©Î§ïÅܸs²Õ±K½X¡A<tt>/etc/gshadow</tt> Àɳ£±N³Q§ïÅÜ¡C <p> <tt>groups</tt>, <tt>groupadd</tt>, <tt>groupmod</tt>, ©M <tt>groupdel</tt> µ{¦¡¬O¥Î¨Ó¨ÑÀ³ <em>Shadow Suite</em> ³¡¤À¥i¥HÅܧó¸s²Õ¡C <p> <tt>/etc/group</tt> Àɮ榡¦p¤U¡G <tscreen><verb>groupname:!:GID:member,member,...</verb></tscreen> ¨ä¤¤¡G <descrip> <tag/<tt>groupname</tt></tag> The name of the group <tag/<tt>!</tt></tag> The field that normally holds the password, but that is now relocated to the <tt>/etc/gshadow</tt> file. <tag/<tt>GID</tt></tag> The numerical group ID number <tag/<tt>member</tt></tag> List of group members </descrip> <p> <tt>/etc/gshadow</tt> Àɮ榡¦p¤U¡G <tscreen><verb>groupname:password:admin,admin,...:member,member,...</verb></tscreen> ¨ä¤¤¡G <descrip> <tag/<tt>groupname</tt></tag> The name of the group <tag/<tt>password</tt></tag> The encoded group password. <tag/<tt>admin</tt></tag> List of group administrators <tag/<tt>member</tt></tag> List of group members </descrip> <p> <tt>gpasswd</tt> «ü¥O¬O¥Î¦b·s¼W©Î²¾°£ºÞ²zªÌ©M¸s²Õ¦¨­û¡C <tt>root</tt> ©Î¨ä¥L¦b ¸s²ÕºÞ²zªÌ¤H­û¥i·s¼W©Î²¾°£¸s²Õ¦¨­û¡C <p> ¸s²Õ±K½X¥i¥H³z¹L <tt>passwd</tt> «ü¥O§ïÅÜ¡A»Ý³z¹L <em>root</em> ©Î¦b¸Ó¸s²ÕºÞ²zªÌ¦³Åv­­ªº±b¸¹¤è¥i­×§ï¡C <p> Despite the fact that there is not currently a manual page for <tt>gpasswd</tt>, typing <tt>gpasswd</tt> without any parameters gives a listing of options. It's fairly easy to grasp how it all works once you understand the file formats and the concepts. <sect1><heading>Àˬdµ{¦¡¤@­P©Ê <p> <sect2><heading>pwck <p> <tt>pwck</tt> µ{¦¡´£¨Ñ¦b <tt>/etc/passwd</tt> ©M <tt>/etc/shadow</tt> Àɪº¤@­P©ÊÀˬd¡C ¥¦±NÀˬd¨C­Ó¨Ï¥ÎªÌ¦WºÙ¥B¨Ì·Ó¤U¦C¨BÆJ½T»{¡G <itemize> <item>the correct number of fields <item>unique user name <item>valid user and group identifier <item>valid primary group <item>valid home directory <item>valid login shell </itemize> <p>¥¦¤]·|ĵ§i¨S¦³±K½Xªº±b¸¹¡C <p> ¦b¦w¸Ë <em>Shadow Suite</em> «á°õ¦æ <tt>pwck</tt> ¬O¤@­Ó«Ü¦nªºÂI¤l¡C ¥¦¤]¥i¥H¨C¶g©Î¨C¤ë¶g´Á©Êªº°õ¦æ¡C ¦pªG§A¨Ï¥Î <tt>-r</tt> °Ñ¼Æ¡A§A¥i¥H¥Î <tt>cron</tt> ¨Ó°õ¦æ¥B¦¬¨ì¹q¤l¶l¥ó³ø§i <sect2><heading>grpck <p> <tt>grpck</tt> Àˬd <tt>/etc/group</tt> ©M <tt>/etc/gshadow</tt> Àɤ@­P©Êªºµ{¦¡¡C ¥¦§@¤U¦CÀˬd¡G <itemize> <item>the correct number of fields <item>unique group name <item>valid list of members and administrators </itemize> <p> ¥¦¤]¦³ <tt>-r</tt> °Ñ¼Æ¦Û°Ê²£¥Í³øªí¡C <sect1><heading>Dial-up ±K½X <p> Dial-up ±K½X¬O¥t¤@­Ó¹ï¨t²Î¨¾¿mªº¿ï¶µ¦C¡A¸Ó¨t²Î¤¹³\¼·±µ¦s¨ú¡C ¦pªG§A¦³¤@­Ó¨t²Î¤¹³\³\¦h¤H°Ï°ìºô¸ô³sµ²¡A¦ý¬O§A·Q­­¨î¼·±µªºÅv­­¡A¨º§A»Ý¨Ï¥Î dial-up ±K½X¡C ¬°¤F­n¶}±Ò dial-up ±K½X¡A§A¥²¶·½s¿è <tt>/etc/login.defs</tt> ÀÉ¥B½T©w±N <tt>DIALUPS_CHECK_ENAB</tt> ³]©w¬° <tt>yes</tt>. <p> ¦³¨â­ÓÀÉ®×¥]¬A dial-up ¸ê°T¡A <tt>/etc/dialups</tt> ¥]¬A ttys (one per line, with the leading "/dev/" removed)¡C ¦pªG tty ¦³³Q¦C¥X¡A dial-up ªí¥Ü¤w¸g³QÀˬd¡C <p> ²Ä¤G­ÓÀɬO <tt>/etc/d_passwd</tt> ¡C ³o­ÓÀÉ¥]¬A shell ¥þ³¡¦Xªk¸ô®|¦WºÙ¡C <p> ¦pªG¥H­Ó¨Ï¥ÎªÌñ¤J¤@±ø¦C¦b <tt>/etc/dialups</tt> ªº½u(line)¡A¥B¥Lªº shell ³Q¦C¦b <tt>/etc/d_passwd</tt> ÀÉ¡A¥L±N³Q¤¹³\¦s¨ú³z¹L´£¨Ñ¥¿½Tªº±K½X¡C <p> ¥t¤@­Ó¨Ï¥Î dial-up ±K½Xªº¥Øªº¬O³]©w«ü¤¹³\¬Y¨Ç§Î¦¡³sµ²ªº½u(¥i¯à¬OPPP ©Î UUCP ³sµ²)¡C ¦pªG¤@­Ó¨Ï¥ÎªÌ¸ÕµÛ±o¨ì¥t¤@ºØ§Î¦¡³sµ² (i.e. a list of shells)¡A¥L¥²¶·ª¾¹D¨Ï¥Î³o±ø½uªº±K½X¡C <p> ¦b§A¥i¥H¦b¥¼¨Ó¨Ï¥Î dial-up «e¡A§A±K»Ý«Ø¥ß¤@¨ÇÀɮסC <p> <tt>dpasswd</tt> «ü¥O´£¨Ñ¹ï¦b <tt>/etc/d_passwd</tt> Àɪº shells «ü¬£±K½X¡C ¥i¥H¬Ý¾Þ§@¤â¥Uªº¨ì§ó¦h¸ê°T¡C <sect><heading>¥[¤J shadow ¤ä´© C »y¨¥<label id="sec-adding"> <p> ·s¼W¤ä´© shadow µ{¦¡¨Æ¹ê¤W¬O«Üª½±µªº¡C °ß¤@ªº°ÝÃD¬Oµ{¦¡»Ý­n¥H root (©Î SUID root) Åv­­°õ¦æ¡A³o¼Ë¤~¥i¥H¦s¨ú <tt>/etc/shadow</tt> ÀÉ¡C <p> ³oÅã¥Ü¤@­Ó¤j°ÝÃD¡G ·í«Ø¥ß SUID µ{¦¡®É»Ý­n«Ü¤p¤ß¨Ì·Óµ{¦¡¹B§@¡CÁ|¨Ò»¡©ú¡G ¦pªG¥H­Ó µ{¦¡¦³ shell escape¡A¦pªGµ{¦¡¥»¨­¬O SUID root ±N¤£»Ý­n¥H root ¤è¦¡§e²{¡C <p> ¹ïµ{¦¡·s¼W¤ä´© shadow ¦Ó¨¥¡A¥¦¥i¥HÀˬd±K½X¡A¦ý¤£»Ý¥H root Åv­­°õ¦æ¡A¦Ó¬O¥H SUID shadow ¨ú¥N°õ¦æ¤ñ¸û¦w¥þ¡C <tt>xlock</tt> µ{¦¡´N¬O¤@­Ó¨Ò¤l¡C <p> ±µ¤U¨Ó½d¨Ò¤¶²Ð¡A <tt>pppd-1.2.1d</tt> ¤w¸g¥H SUID as root ¤è¦¡°õ¦æ¡A©Ò¥H·s¼W shadow ¤ä´©À³¸Ó¤£·|¨Ïµ{¦¡²£¥Í¥ô¦ó¼vÅT¡C <sect1><heading>¼ÐÀYÀÉ(Header files) <p> ¼ÐÀYÀÉÀ³¦s¦b <tt>/usr/include/shadow</tt>¡C À³¸Ó¦³¤@­Ó <tt>/usr/include/shadow.h</tt>ÀÉ¡A ¦ý¬O¥¦±N symbolic link ¨ì <tt>/usr/include/shadow/shadow.h</tt>¡C <p> ¬°¤F·s¼W¤ä´© shadow µ{¦¡¡A§A»Ý­n include ¼ÐÀYÀÉ¡G <verb> #include <shadow/shadow.h> #include <shadow/pwauth.h> </verb> <p> <sect1><heading>libshadow.a ¨ç¦¡®w(library) <p> ·í§A¦w¸Ë <em>Shadow Suite</em>¡A <tt>libshadow.a</tt> ÀɳQ«Ø¥ß©M¦w¸Ë¦b <tt>/usr/lib</tt> ¥Ø¿ý¡C <p> ·í½sĶ¤@­Ó shadow support µ{¦¡¡Alinker »Ý­n¥]¬A <tt>libshadow.a</tt> ¨ç¦¡®w¶i¤JÃìµ²¡C <p> °õ¦æ¦p¤U¡G <tscreen><verb>gcc program.c -o program -lshadow</verb></tscreen> <p> µM¦Ó¡A´N¹³§Ú­Ì±µ¤U¨Ó­n¬Ýªº¨Ò¤l¡A¤j³¡¤À¤jµ{¦¡¨Ï¥Î <tt>Makefile</tt> ¥B ³q±`¦³ÅܼƩI¥s <tt>LIBS=...</tt> »Ý­n³Q­×§ï¡C <sect1><heading>Shadow µ²ºc(Structure) <p> <tt>libshadow.a</tt> ¨ç¦¡®w¹ï¥¦±q <tt>/etc/shadow</tt> Àɱµ¦¬¸ê°T¨Ï¥Îµ²ºc¤Æ©I¥s¡C ³o¬O±q <tt>/usr/include/shadow/shadow.h</tt> ¼ÐÀYÀɪº <tt>spwd</tt> µ²ºc©w¸q¡G <code> struct spwd { char *sp_namp; /* login name */ char *sp_pwdp; /* encrypted password */ sptime sp_lstchg; /* date of last change */ sptime sp_min; /* minimum number of days between changes */ sptime sp_max; /* maximum number of days between changes */ sptime sp_warn; /* number of days of warning before password expires */ sptime sp_inact; /* number of days after password expires until the account becomes unusable. */ sptime sp_expire; /* days since 1/1/70 until account expires */ unsigned long sp_flag; /* reserved for future use */ }; </code> <p> <em>Shadow Suite</em> ¥i¥H©ñ°£¤F½s½X±K½X¤§¥~ªº¸ê®Æ¨ì <tt>sp_pwdp</tt> Äæ¦ì¡C ±K½XÄæ¦ì¥i¥]¬A¡G <tscreen><verb>username:Npge08pfz4wuk;@/sbin/extra:9479:0:10000::::</verb></tscreen> <p> ³oªí¥Ü¤@­ÓÃB¥~ªº±K½X¡A <tt>/sbin/extra</tt> µ{¦¡À³¸Ó³Q§ó¦hªºÅv­­©I¥s¡C µ{¦¡ªº©I¥s»Ý¨ú±o¨Ï¥ÎªÌ¦WºÙ©M«ü¥X¬°¦ó»Ý³Q©I¥sªº switch¤~¥i³q¹L¡C ¬d¬Ý <tt>/usr/include/shadow/pwauth.h</tt> ©M­ì©l½X <tt>pwauth.c</tt> Àò±o§ó¦h¸ê°T¡C <p> ¬°¦ó§Ú­ÌÀ³¨Ï¥Î <tt>pwauth</tt> ¥hªí¥Ü¯u¥¿ªºÅv­­¡A³o¬O¤°»ò·N«ä¡A¥¦±N¨Ï²Ä¤G²ÕÅv­­¤] ¶]±o«Ü¦n¡C <p> <em>Shadow Suite</em> §@ªÌ«ü¥X¦]¬°¤j³¡¤À¦s¦bªºµ{¦¡³£¤£³o»ò§@Åo¡A©Ò¥H <em>Shadow Suite</em>¥¼¨Óªºª©¥»±N²¾°£¡C <sect1><heading>Shadow ¨ç¦¡(Functions) <p> <tt>shadow.h</tt> ¥]§t <tt>libshadow.a</tt> ¨ç¦¡®w¡G <code> extern void setspent __P ((void)); extern void endspent __P ((void)); extern struct spwd *sgetspent __P ((__const char *__string)); extern struct spwd *fgetspent __P ((FILE *__fp)); extern struct spwd *getspent __P ((void)); extern struct spwd *getspnam __P ((__const char *__name)); extern int putspent __P ((__const struct spwd *__sp, FILE *__fp)); </code> <p> §Ú­Ì±N¨Ï¥Îªº½d¨Òµ{¦¡¬O¡G <tt>getspnam</tt> ±N¹ï¨ÑÀ³¦WºÙ«ì´_¹ï§Ú­Ì <tt>spwd</tt> µ²ºc¡C <sect1><heading>½d¨Ò <p> ³o¬O¤@­Ó½d¨Ò´y­z·s¼W shadow ¤ä´©µ{¦¡¡A¦ý¹w³]­È¨Ã¨S¦³¡C <p> ¥»½d¨Ò¨Ï¥Î <em>Point-to-Point Protocol Server</em> (pppd-1.2.1d)¡A¥¦¦³­Ó¼Ò¦¡¬Oªí¥Ü ±q <tt>/etc/passwd</tt> Àɨú¥N <em>PAP</em> ©Î <em>CHAP</em> Àɨϥαb¸¹±K½Xªº <em>PAP</em> Åv­­¡A§A±N¤£»Ý­n¦b <tt>pppd-2.2.0</tt> ¥[³o¨Çµ{¦¡½X¡A¦]¬°¥¦¤w¸g¦s¦bÅo¡C <p> pppd ªº¥¼¨Ó¤j­P¤W¤£·|³Q¨Ï¥Î«Ü¦h¡A¦ý¬O¦pªG§A¦w¸Ë <em>Shadow Suite</em>¡AÀx¦s¦b <tt>/etc/passwd</tt> Àɪº±K½X±NµLªk¹B§@¡C <p> ¦b <tt>pppd-1.2.1d</tt> Åv­­¨Ï¥Îªºµ{¦¡½X¬O¦ì¦b <tt>/usr/src/pppd-1.2.1d/pppd/auth.c</tt> ÀÉ¡C <p> ±µ¤U¨Óµ{¦¡½X»Ý­n³Q¥[¦b©Ò¦³¨ä¥L <tt>#include</tt> «ü¥OÀɮתº³Ì¤WÀY¡A§Ú­Ì±Nª`·N¦³Àô¹Ò«ü¥Oªº <tt>#includes</tt>¡C <p> <code> #ifdef HAS_SHADOW #include <shadow.h> #include <shadow/pwauth.h> #endif </code> <p> ±µ¤U¨Ó­n°µªº¨Æ±¡¬OÅܧó¹ê»Ú½X¡A §Ú­Ì±NÅܧó <tt>auth.c</tt> ÀÉ¡C <p> Åܧó«e <tt>auth.c</tt> ÀÉ function ¬°¡G <code> /* * login - Check the user name and password against the system * password database, and login the user if OK. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } /* * XXX If no passwd, let them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHACK); } epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); } </code> <p> ¨Ï¥ÎªÌªº±K½X³Q©ñ¦b <tt>pw->pw_passwd</tt>¡A©Ò¥H§Ú­Ì»Ý·s¼W <tt>getspnam</tt> function¡A³o±N·|§â±K½X©ñ¨ì <tt>spwd->sp_pwdp</tt>¡C <p> §Ú­Ì±N·s¼W <tt>pwauth</tt> function ¨Óªí¥Ü¯u¥¿ªºÅv­­¡C ³o±N¦b shadow Àɳ]©w®É ¦Û°Ê²£¥Í²Ä¤G­ÓÅv­­¡C <p> Åܧ󬰥i¥H¤ä´© shadow «áªº <tt>auth.c</tt> function¡G <code> /* * login - Check the user name and password against the system * password database, and login the user if OK. * * This function has been modified to support the Linux Shadow Password * Suite if USE_SHADOW is defined. * * returns: * UPAP_AUTHNAK: Login failed. * UPAP_AUTHACK: Login succeeded. * In either case, msg points to an appropriate message. */ static int login(user, passwd, msg, msglen) char *user; char *passwd; char **msg; int *msglen; { struct passwd *pw; char *epasswd; char *tty; #ifdef USE_SHADOW struct spwd *spwd; struct spwd *getspnam(); #endif if ((pw = getpwnam(user)) == NULL) { return (UPAP_AUTHNAK); } #ifdef USE_SHADOW spwd = getspnam(user); if (spwd) pw->pw_passwd = spwd->sp-pwdp; #endif /* * XXX If no passwd, let NOT them login without one. */ if (pw->pw_passwd == '\0') { return (UPAP_AUTHNAK); } #ifdef HAS_SHADOW if ((pw->pw_passwd && pw->pw_passwd[0] == '@' && pw_auth (pw->pw_passwd+1, pw->pw_name, PW_LOGIN, NULL)) || !valid (passwd, pw)) { return (UPAP_AUTHNAK); } #else epasswd = crypt(passwd, pw->pw_passwd); if (strcmp(epasswd, pw->pw_passwd)) { return (UPAP_AUTHNAK); } #endif syslog(LOG_INFO, "user %s logged in", user); /* * Write a wtmp entry for this user. */ tty = strrchr(devname, '/'); if (tty == NULL) tty = devname; else tty++; logwtmp(tty, user, ""); /* Add wtmp login entry */ logged_in = TRUE; return (UPAP_AUTHACK); } </code> <p> ÄYÂÔªº½d¨Ò±N±Òµo§Ú­Ì¦b§@¨ä¥L§ïÅܪºÀ°§U¡C ­ì©lªºª©¥»¦pªG¦b <tt>/etc/passwd</tt> ÀÉ ¨S¦³¥ô¦ó±K½X¡A¥i¤¹³\¦s¨ú¶Ç¦^ªº <tt>UPAP_AUTHACK</tt> ¡C³o¬O<em>¤£</em>¦nªº¡A¦]¬° ñ¤Jªº¨Ï¥Î¬O¨Ï¥Î¤@­Ó¤¹³\¦s¨ú PPP processªº±b¸¹¡AµM«áÀˬd±b¸¹±K½X¡A¸Ó±b¸¹±K½X¬O¥Ñ RAP ¡B¦b <tt>/etc/passwd</tt> Àɪº±b¸¹©M <tt>/etc/shadow</tt> Àɪº±K½X¨ÑÀ³¡C <p> ©Ò¥H¦pªG§Ú­Ì³]©w­ì¥»ª©¥»¹ï¨C­Ó¨Ï¥ÎªÌ¡A¦p <tt>ppp</tt> ¥i¥H¦b shell °õ¦æ¡AµM«á¥ô¦ó¤H¥i¥H Àò±o ppp Ãìµ²³z¹L³]©w¥L­Ì¹ï¨Ï¥ÎªÌ <tt>ppp</tt> ªº PAP ©M null ªº±K½X¡C <p> §Ú­Ì­×¥¿ <tt>UPAP_AUTHNAK</tt> ¨ú¥N <tt>UPAP_AUTHACK</tt> ¦pªG±K½XÄæ¦ì¬OªÅªº¡C <p> ¦³½ìªº¬O <tt>pppd-2.2.0</tt> ¦³¬Û¦Pªº°ÝÃD¡C <p> ±µ¤U¨Ó§Ú­Ì»Ý­nÅܧó Makefile ¥H«KÅý¨â¥ó¨Æµo¥Í¡G <tt>USE_SHADOW</tt> ¥²¶·³Q­«·s©w¸q¥B<tt>libshadow.a</tt> »Ý­n³Q·s¼W¨ìÃìµ² process¡C <p> ½s¿è Makefile ¥B·s¼W¡G <tscreen><verb>LIBS = -lshadow </verb></tscreen> <p> µM«á§Ú­Ì§ä¨ì³o¤@¦æ¡G <tscreen><verb>COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t </verb></tscreen> <p> µM«á§ïÅÜ¥¦Åܦ¨¡G <tscreen><verb>COMPILE_FLAGS = -I.. -D_linux_=1 -DGIDSET_TYPE=gid_t -DUSE_SHADOW </verb></tscreen> <p> ²{¦b°õ¦æ make ¸ò install. <sect><heading>±`°Ý°ÝÃD¤Îµª®× <p> <em>Q:</em> §Ú¥Î tty's ¥Î<em>root</em> Åv­­¨Ï¥Î <tt>/etc/securettys</tt> ÀÉ¡A¦ý¬O³£¨S¦³ ¥ô¦ó¹B§@¡A¸Ó¦p¦ó¸Ñ¨M¡H <p> <em>A:</em> <tt>/etc/securettys</tt> Àɦb <em>Shadow Suite</em> ¦w¸Ë«á´N¤£¨ã¥ô¦ó·N¸qÅo¡C tty's ¥Î <em>root</em> Åv­­¥i¥H¨Ï¥Î¤@­Ó©ñ¦b <tt>/etc/login.defs</tt> ñ¤J³]©wÀɶi¦æ­×§ï¡C ¸Ó³]©wÀɤ]¥i¯à«ü¨ì¥t¤@­ÓÀÉ¡C <p> <em>Q:</em> §Ú¹ï <em>Shadow Suite</em> ¶i¦æ¦w¸Ë«á¡A²{¦b§Ú¨S¿ìªkñ¤J(login)¨t²Î¡A §Ú¦³©¿²¤¤°»ò¨BÆJ¶Ü¡H <p> <em>A:</em> §A¬O¯uªº¦w¸Ë Shadow µ{¦¡Åo¡A¦ý¬O¨Ã¥¼°õ¦æ <tt>pwconv</tt> ©Î§A§Ñ°O½Æ»s <tt>/etc/npasswd</tt> ¨ì <tt>/etc/passwd</tt> ¥B½Æ»s <tt>/etc/nshadow</tt> ¨ì <tt>/etc/shadow</tt>Åo¡C §A¤]»Ý­n½Æ»s <tt>login.defs</tt> ¨ì <tt>/etc</tt>¡C <p> <em>Q:</em> ¦b xlock ¨º¤@³¹¸`¦³´£¨ì§ïÅÜ <tt>/etc/shadow</tt> Àɪº¸s²Õ¾Ö¦³ªÌ¨ì <tt>shadow</tt>¡C§Ú¨S¦³ <tt>shadow</tt> ¸s²Õ¡A¸Ó¦p¦ó³B²z¡H <p> <em>A:</em> §A¥i¥H·s¼W¤@­Ó¡C ²³æªº½s¿è <tt>/etc/group</tt> ÀÉ¡AµM«á·s¼W¤@¦æµ¹ shadow ¸s²Õ¡A§A»Ý­n½T»{¸s²Õ½s¸¹¨Ã¥¼³Q¨ä¥L¸s²Õ¨Ï¥Î¡A¥B§A»Ý­n¦b <tt>nogroup</tt> ¬ö¿ý¤§«e´¡¤J¸Ó³]©w¡C ©Î³o§A¥i¥H²¤Æ¹ï rootÅv­­³]©w suid <tt>xlock</tt>¡C <p> <em>Q:</em> ¦³¥ô¦ó¹ï Linux Shadow Password Suite ªº¹q¤l¶l¥ó¦Cªí¶Ü¡H <p> <em>A:</em> ¦³¡A¦ý¬O¥¦ªº¥Øªº¬O°w¹ï Linux ¤U¤@­Ó Shadow Suiteª©¥»µo®i¸ò´ú¸Õ¡A§A¥i¥H ¨ì<tt>shadow-list-request@neptune.cin.net</tt> ¹q¤l¶l¥óºK­n¿é¤J¡G <tt>subscribe</tt>¡C ³o¬O¦b°Q½× Linux <tt>shadow-YYMMSS</tt>¨t¦Cª©¥»¡C§AÀ³¸Ó°Ñ¥[¦pªG§A ·Q°Ñ¤©¥¼¨Óµo®i©Î§A¦w¸Ë Suite ¦b§Aªº¹q¸£¥B·Q­n±o¨ì·sª©¥»ªº¸ê°T¡C <p> <em>Q:</em> §Ú¦w¸Ë <em>Shadow Suite</em>¡A¦ý¬O·í§Ú¨Ï¥Î <tt>userdel</tt> ©R¥O«á¡A §Ú±o¨ì "userdel: cannot open shadow group file" °T®§¡A§Ú¦³­þ¸Ì§@¿ù¤F¶Ü¡H <p> <em>A:</em> §A½sĶ <em>Shadow Suite</em> ®É¦³¶}±Ò <tt>SHADOWGRP</tt> ¿ï¶µ¡A¦ý¬O §A¨S¦³¤@­Ó <tt>/etc/gshadow</tt> ÀɮסA§A»Ý­n½s¿è <tt>config.h</tt> ÀÉ©M­«·s½s Ķ©Î«Ø¥ß¤@­Ó <tt>/etc/group</tt> ÀÉ¡A½Ð¬Ý shadow groups ¨º¤@¸`¡C <p> <em>Q:</em> §Ú¦w¸Ë <em>Shadow Suite</em> ¦ý¬O§ÚµLªk§ä¨ì½s½X±K½X¦b§Úªº <tt>/etc/passwd</tt> ÀÉ¡Aµo¥Í¤°»ò°ÝÃD¡H <p> <em>A:</em> §A¥i¯à¦b Shadow <tt>config.h</tt> Àɶ}±Ò <tt>AUTOSHADOW</tt> ¿ï¶µ©ÎªÌ §Aªº <tt>libc</tt> ³Q <tt>SAHDOW_COMPAT</tt> ¿ï¶µ½sĶ¡A§A»Ý­n¨M©w¬O­þ­Ó°ÝÃD¡AµM«á ¦A­«·s½sĶ¡C <sect><heading>ª©ÅvÁn©ú(¼È¤£Â½Ä¶) <p> The Linux Shadow Password HOWTO is Copyright (c) 1996 Michael H. Jackson. <p> Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies. <p> Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copies above, provided a notice clearly stating that the document is a modified version is also included in the modified document. <p> Permission is granted to copy and distribute translations of this document into another language, under the conditions specified above for modified versions. <p> Permission is granted to convert this document into another media under the conditions specified above for modified versions provided the requirement to acknowledge the source document is fulfilled by inclusion of an obvious reference to the source document in the new media. Where there is any doubt as to what defines 'obvious' the copyright owner reserves the right to decide. <sect><heading>Miscellaneous and Acknowledgments. <p> The code examples for <tt>auth.c</tt> are taken from pppd-1.2.1d and ppp-2.1.0e, Copyright (c) 1993 and The Australian National University and Copyright (c) 1989 Carnegie Mellon University. <p> Thanks to Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> for writing and maintaining the <em>Shadow Suite</em> for Linux, and for his review and comments on this document. <p> Thanks to Ron Tidd <rtidd@tscnet.com> for his helpful review and testing. <p> Thanks to everyone who has sent me feedback to help improve this document. <p> Please, if you have any comments or suggestions then mail them to me. regards <p> <htmlurl url="mailto:mhjack@tscnet.com" name="Michael H. Jackson <mhjack@tscnet.com>"> </article>