Table of Contents
1、引言
Authentication : 认证
Authorization : 授权
Audition : 审计
2、Linux的用户
2.1 用户类别
管理员: root
普通用户: 系统用户、登录用户
2.2 用户标识: UserID , 简称 UID
Linux系统的用户标识默认采用 16bits 二进制数字表示,0-65535;
管理员的用户标识: 0
普通用户的用户标识: 1-65535
系统用户的用户标识: 1-499(centos 6) , 1-999(centos 7)
登录用户的用户标识: 500-60000(centos 6) , 1000-60000(centos 7)
username 与 UID 之间的名称转换,是根据名称解析库进行的: /etc/passwd ;
3、Linux的用户组
3.1 组类别1
管理员组
普通用户组:系统组、登录组
3.2 组标识: GroupID , GID
管理员组的组标识: 0
普通用户组的用户组标识: 1-65535
系统用户组的用户组标识: 1-499(centos 6) , 1-999(centos 7)
登录用户组的用户组标识: 500-60000(centos 6) , 1000-60000(centos 7)
groupname 与 GID 之间的名称转换,是根据名称解析库进行的: /etc/group ;
3.3 组类别2
用户的基本组
用户的附加组
3.4 组类别3
私有组:组名同用户名,且只包含一个用户;
公共组:组内包含多个用户;
4、认证信息
4.1 通过比对事先存储的,与登录时提供的信息是否一致;
linux系统的 password 文件:
/etc/passwd ;
/etc/gpasswd ;
4.2 密码的使用策略
>> 使用随机密码;
>> 最短长度不要低于8位;
>> 应该使用大写字母、小写字母、数字和标点符号四类字符中至少三类;
>> 定期更换;
4.3 加密算法的3个分类
加密前的字符叫明文(plain text) ,加密后的字符叫密文(cipher text) ;
> 对称加密:加密和解密使用同一个算法;
> 非对称加密:加密和解密使用一对秘钥;
## 密钥对:
### 公钥:public key
### 私钥:private key
> 单向加密:只能加密,不能解密;提取数据特征码;
### 定长输出;
### 雪崩效应;
##### 单向加密的算法:
在计算时加入 salt : 添加的随机数;
md5 : 识别号为 1 ,message digest , 128bits ;
sha : 识别号为 2 ,secure hash algorithm , 160bits ;
sha224 : 识别号为 3 ;
sha256 : 识别号为 4 ;
sha384 : 识别号为 5 ;
sha512 : 识别号为 6 ;
单向加密举例1:
[root@localhost ~]# [root@localhost ~]# echo "hello word." | md5sum 4b5aed0c1df64b1930d69fe77d3545de - [root@localhost ~]# [root@localhost ~]# echo "hello word?" | md5sum ea488c4115b9f893ea16dcd9ca2e2435 - [root@localhost ~]#
单向加密算法类别举例2:
[root@localhost ~]# sha sha1sum sha224sum sha256sum sha384sum sha512sum [root@localhost ~]#
单向加密算法类别举例3:
[root@localhost ~]# echo "lucifer" | sha224sum dff91f0c50081729ef85ceae2007cb9153e270896bc046fbf0bbff71 - [root@localhost ~]# [root@localhost ~]# echo "lucifer" | sha384sum 4567903f2382fa987a2a0b947cb11a69fd3b422e3d9bb427f62224170b9f78aef4f802d3fe0a4a3cb92cda9c9bc4b28a - [root@localhost ~]# [root@localhost ~]# echo "lucifer" | sha512sum 6ef4edbb979197bb3fd207e4dc558c5df0db83cbe3f52658d0149aa1aeb9447c2634c229a50e049fd2ed5a5b81bec9817fe465a3c28248a67d86dfb80c5b507a - [root@localhost ~]#
单向加密:salt 随机数举例4:
创建2个用户并赋予相同的密码,密码文件中,’$zEF20aSR$’ , ‘$XaEJxoZC$’ 这2个字段的2个’$’符号之间的就是添加的随机数;
salt随机数后面的密码是使用文本编码以后创建的密文;
[root@localhost ~]# [root@localhost ~]# useradd centos [root@localhost ~]# passwd centos Changing password for user centos. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# [root@localhost ~]# useradd redhat [root@localhost ~]# passwd redhat Changing password for user redhat. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# [root@localhost ~]# tail -3 /etc/shadow epmd:!!:17609:::::: centos:$6$zEF20aSR$P1CINayNU8p/CJnHQQuyWLQ4YuDZpCbLi0l3flWRy.nyDqjebDbPDNRAz6pjxs2BF2RVAW.rDU72Cu.fctq8I.:17610:0:99999:7::: redhat:$6$XaEJxoZC$/HBkFsCXQwFPLSeuizFLEq7siB6qlC72kRHWbBSSzIQi9ruls40y2ohxZ/gUKdi6TNtxLeON7kDwW9rJMUEYT.:17610:0:99999:7::: [root@localhost ~]#
5、用户的信息库
### /etc/passwd
[root@localhost ~]# tail -2 /etc/passwd centos:x:1000:1000::/home/centos:/bin/bash redhat:x:1001:1001::/home/redhat:/bin/bash [root@localhost ~]#
字段含义(7个字段,以冒号分隔):
–1-:—2—-:-3-:-4-:–5–:—-6—-:–7–
name:password:UID:GID:GECOS:directory:shell
name : 用户名
password : 可以是加密的密码,也可以是占位符 x ;
UID
GID
GECOS : 用户的注释信息;
directory : 用的主目录;
shell : 用户登录系统后的默认shell程序;
### /etc/shadow
[root@localhost ~]# head -2 /etc/shadow && tail -2 /etc/shadow && sed -n 15p /etc/shadow root:$6$v6IPYYwgnkk8uEiM$qQ0dArrh3VZcSnVeSmTiIgY3RHPA8fuW1Q.lNYzUoEy91qqI/5quXRbDIum2FqySW1r.O8CGWatZvL.G3xAhG.::0:99999:7::: bin:*:17110:0:99999:7::: centos:$6$zEF20aSR$P1CINayNU8p/CJnHQQuyWLQ4YuDZpCbLi0l3flWRy.nyDqjebDbPDNRAz6pjxs2BF2RVAW.rDU72Cu.fctq8I.:17610:0:99999:7::: redhat:$6$XaEJxoZC$/HBkFsCXQwFPLSeuizFLEq7siB6qlC72kRHWbBSSzIQi9ruls40y2ohxZ/gUKdi6TNtxLeON7kDwW9rJMUEYT.:17610:0:99999:7::: dbus:!!:17526:::::: [root@localhost ~]#
字段含义(9个字段,以冒号分隔):
—-1—:———2——:—————3————:———-4——-:——–5———:——-6———–:—–7——-:——–8———:—–9—-
登录名:加密了的密码:最后一次更改密码的日期:密码的最小年龄:密码的最大年龄:密码警告时间段:密码禁用期:账户的过期时间:保留字段
login name : 登录名
It must be a valid account name, which exist on the system.
encrypted password : 加密了的密码
Refer to crypt(3) for details on how this string is interpreted.
If the password field contains some string that is not a valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).
This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.
A password field which starts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
以叹号开始的密码字段意味着密码被锁定,该行的剩余字符表示锁定之前的密码;
date of last password change : 最后一次更改密码的日期
The date of the last password change, expressed as the number of days since Jan 1, 1970.
The value 0 has a special meaning, which is that the user should change her pasword the next time she will log in the system.
数字0有特殊意义,表示用户应该在下次登录系统时更改密码;
An empty field means that password aging features are disabled.
空字段表示密码年龄功能被禁用;
minimum password age : 密码的最小年龄
The minimum password age is the number of days the user will have to wait before she will be allowed to change her password again.
An empty field and value 0 mean that there are no minimum password age.
空字段或数字0,表示没有最小密码年龄;
maximum password age : 最大密码年龄
The maximum password age is the number of days after which the user will have to change her password.
After this number of days is elapsed, the password may still be valid. The user should be asked to change her password the next time she will log in.
An empty field means that there are no maximum password age, no password warning period, and no password inactivity period (see below).
空字段表示没有最大密码年龄、没有密码警告时间段、没有密码禁用时间段;
If the maximum password age is lower than the minimum password age, the user cannot change her password.
password warning period : 密码警告时间段
The number of days before a password is going to expire (see the maximum password age above) during which the user should be warned.
An empty field and value 0 mean that there are no password warning period.
空字段或数字0,表示没有密码警告期;
password inactivity period : 密码禁用期
The number of days after a password has expired (see the maximum password age above) during which the password should still be accepted (and the user should update her password during the next login).
密码达到最大年龄后,仍然接受此密码的天数;用户需要在下次登录时修改密码;
After expiration of the password and this expiration period is elapsed, no login is possible using the current user's password. The user should contact her administrator.
密码到期并且过了这个宽限期后,用户使用当前的密码将不能登录,用户需要联系管理员;
An empty field means that there are no enforcement of an inactivity period.
空字段表示没有强制密码过期;
account expiration date : 账户的过期日期
The date of expiration of the account, expressed as the number of days since Jan 1, 1970.
Note that an account expiration differs from a password expiration. In case of an acount expiration, the user shall not be allowed to login. In case of a password expiration, the user is not allowed to login using her password.
An empty field means that the account will never expire.
空字段表示账户永不过期;
The value 0 should not be used as it is interpreted as either an account with no expiration, or as an expiration on Jan 1, 1970.
应该避免使用数字0,因为它既能理解成永不过期也能理解成在1970年1月1日过期;
reserved field : 保留字段
This field is reserved for future use.
### /etc/group
[root@localhost ~]# [root@localhost ~]# head -1 /etc/group && sed -n 13p /etc/group root:x:0: mail:x:12:postfix [root@localhost ~]#
字段含义(4个字段,以冒号分隔)
——–1——:—–2—–:–3–:—-4—-
group_name:password:GID:user_list
user_list : 该组的用户成员,以此组为附加组的用户的用户列表;