Useradd 使用 crypt 密码生成 [英] Useradd using crypt password generation

查看:22
本文介绍了Useradd 使用 crypt 密码生成的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在编写一个我认为非常简单的脚本来使用useradd"动态创建 FTP 用户.这个过程的几个部分我不熟悉,一整天的研究并没有让我走得太远.这是我所拥有的:

password="pass"pass=$(perl -e 'print crypt($ARGV[0], "wtf")' $password)useradd -d HOME_DIR -s/bin/bash -g GROUP -p $pass -f -1 测试

注意事项

  1. HOME_DIR 和 GROUP 是占位符
  2. 'useradd' 的 home/base_dir (-d, -b) 或组 (-g) 功能没有问题

主题:

  1. 为什么我的密码生成工作不起作用?
  2. /bin/bash 是纯 FTP 用户使用的正确 shell,还是我会使用/bin/false 或不同的 shell?
  3. 默认情况下,useradd 会禁用一个帐户,直到他们提供自己的密码,我该如何绕过这个?
  4. 我不想使用 passwd 实用程序,因为它削弱了我自动生成 FTP 帐户的能力,我找到了解决此问题的方法 这里,但我不明白解决方案

让我知道我是否将这一切都搞错了,或者我试图做的事情是不可能的,或者我是否被误导了我在此陈述的任何内容.感谢您提供任何帮助.:D

解决方案

关于密码生成:

<块引用>

32.3 加密密码

  • 函数:char * crypt (const char *key, const char *salt)

    crypt 函数将密码 key 作为字符串和一个如下所述的 salt 字符数组,并返回一个以另一种盐开头的可打印 ASCII 字符串.据信,给定函数的输出,找到将产生该输出的 key 的最佳方法是猜测 key 的值直到 key 的原始值em>key 找到了.

    salt 参数做了两件事.首先,它选择使用哪种算法,是基于 MD5 的算法还是基于 DES 的算法.其次,它使试图对包含许多密码的文件猜测密码的人变得更加困难;如果没有 salt,入侵者可以猜测,在其上运行一次 crypt,并将结果与​​所有密码进行比较.使用 salt,入侵者必须为每个不同的 salt 运行一次 crypt.

    对于基于 MD5 的算法,salt 应由字符串 $1$ 组成,后跟最多 8 个字符,以另一个 $<结尾/code> 或字符串的结尾.crypt 的结果将是 salt,如果 salt 不是以 1 结尾,则后跟 $,然后是字母表中的 22 个字符 ./0-9A-Za-z,总共最多 34 个字符.key 中的每个字符都很重要.

    对于基于 DES 的算法,salt 应包含字母表 ./0-9A-Za-z 中的两个字符,以及 的结果>crypt 将是这两个字符后跟来自同一字母表的另外 11 个字符,总共 13 个.只有 key 中的前 8 个字符有意义.

    基于 MD5 的算法对所用密码的有用长度没有限制,安全性稍高.因此它优于基于 DES 的算法.

    当用户第一次输入密码时,salt 应该设置为一个相当随机的新字符串.要根据先前调用 crypt 的结果验证密码,请将先前调用的结果作为 salt 传递.

根据您的系统,也可能存在 Blowfish 或 SHA-2 系列 crypt,并且出于安全考虑,可能会禁用传统的 DES.PAM 也可以在这里添加自己的复杂性.

<上一页>身份证 |方法-------------------------------------------1 |MD5(Linux、BSD)2a |河豚 (OpenBSD)md5 |孙 MD55 |SHA-256(Linux,自 glibc 2.7 起)6 |SHA-512(Linux,自 glibc 2.7 起)

话虽如此,

<上一页>root# useradd -d/-g users -p $(perl -e'print crypt("foo", "aa")') -M -N foo用户$ su - foo密码:foo富$ ^Droot# userdel foo

在我的系统上运行良好.

<小时>

关于外壳:

/sbin/nologin 是传统的登录禁用用户.您必须仔细检查 FTP 守护程序的配置,看看是否将它们排除在 FTP 访问之外.

<小时>

关于被禁用的帐户:

如上所示,如果给定有效密码,对我有用.

<小时>

关于其他解决方案:

您对替代解决方案有哪些不了解的地方?对我来说似乎很清楚.

只需将username:password"输入chpasswd".

<小时>

如果您想要仅使用 FTP 的用户,我建议使用支持虚拟用户的 FTP 守护程序,例如 glftpd, 纯 FTPd, ProFTPD, vsftpd, ...实际上似乎所有常见的都有.这样,FTP 帐户就不需要真实的系统帐户.

I am working on what I thought was a very simple script to dynamically create an FTP user using 'useradd' There are several parts of this process I am unfamiliar with, and an entire day's research has not gotten me too far. Here is what I have:

password="pass"
pass=$(perl -e 'print crypt($ARGV[0], "wtf")' $password)
useradd -d HOME_DIR -s /bin/bash -g GROUP -p $pass -f -1 testing

Notes

  1. HOME_DIR and GROUP are placeholders
  2. I am not having issues with the home/base_dir (-d, -b) or group (-g) functionality of 'useradd'

Topics:

  1. Why are my password generation efforts not working?
  2. is /bin/bash the correct shell to use for a purely FTP user, or would I use /bin/false or a different shell?
  3. By default, useradd disables an account until they provide their own password, how do I bypass this?
  4. I do not want to use the passwd utility as it cripples my ability to automagically generate FTP accounts, I found a solution to this here, but I do not understand the solution

Let me know if I am going about this all wrong, or if what I am trying to do is not possible or if I am misinformed about anything I have stated herein. Thank you for any help you can provide. :D

解决方案

Regarding password generation:

32.3 Encrypting Passwords

  • Function: char * crypt (const char *key, const char *salt)

    The crypt function takes a password, key, as a string, and a salt character array which is described below, and returns a printable ASCII string which starts with another salt. It is believed that, given the output of the function, the best way to find a key that will produce that output is to guess values of key until the original value of key is found.

    The salt parameter does two things. Firstly, it selects which algorithm is used, the MD5-based one or the DES-based one. Secondly, it makes life harder for someone trying to guess passwords against a file containing many passwords; without a salt, an intruder can make a guess, run crypt on it once, and compare the result with all the passwords. With a salt, the intruder must run crypt once for each different salt.

    For the MD5-based algorithm, the salt should consist of the string $1$, followed by up to 8 characters, terminated by either another $ or the end of the string. The result of crypt will be the salt, followed by a $ if the salt didn't end with one, followed by 22 characters from the alphabet ./0-9A-Za-z, up to 34 characters total. Every character in the key is significant.

    For the DES-based algorithm, the salt should consist of two characters from the alphabet ./0-9A-Za-z, and the result of crypt will be those two characters followed by 11 more from the same alphabet, 13 in total. Only the first 8 characters in the key are significant.

    The MD5-based algorithm has no limit on the useful length of the password used, and is slightly more secure. It is therefore preferred over the DES-based algorithm.

    When the user enters their password for the first time, the salt should be set to a new string which is reasonably random. To verify a password against the result of a previous call to crypt, pass the result of the previous call as the salt.

Depending on your system, there may also be Blowfish or SHA-2 family crypts as well, and it's possible that the traditional DES may be disabled for security. PAM can add its own complications in here too.

     ID       |    Method
  -------------------------------
     1        |  MD5 (Linux, BSD)
     2a       |  Blowfish (OpenBSD)
     md5      |  Sun MD5
     5        |  SHA-256 (Linux, since glibc 2.7)
     6        |  SHA-512 (Linux, since glibc 2.7)

That being said, the

root# useradd -d / -g users -p $(perl -e'print crypt("foo", "aa")') -M -N foo
user$ su - foo
Password: foo
foo$ ^D
root# userdel foo

works just fine on my system.

Regarding the shell:

/sbin/nologin is traditional for login-disabled users. You'll have to double-check your FTP daemon's configuration to see if that excludes them from FTP access.

Regarding the disabled account:

As seen above, works for me, as expected if given a working password.

About the other solution:

What don't you understand about the alternate solution? It seems very clear to me.

Just pipe "username:password" into "chpasswd".

If you want FTP-only users, I would recommend using a FTP daemon that supports virtual users like glftpd, Pure-FTPd, ProFTPD, vsftpd, ... actually it seems that all the common ones do. This way, an FTP account does not require a real system account.

这篇关于Useradd 使用 crypt 密码生成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆