Useradd使用密码生成密码 [英] Useradd using crypt password generation

问题描述

我正在研究我认为是一个使用'useradd'动态创建FTP用户的非常简单的脚本。我不熟悉这个过程的几个部分，而整整一天的研究并没有让我走得太远。这是我的：

  password =pass
 pass = $（perl -e'print crypt（ $ ARGV [0]，wtf）'$ password）
 useradd -d HOME_DIR -s / bin / bash -g GROUP -p $ pass -f -1测试
  

注意

1. HOME_DIR和GROUP是占位符


2. 我没有使用'useradd'的home / base_dir（-d，-b）或group（-g）功能问题

话题：

1. 为什么我的密码生成工作无法正常工作？


2. 是/ bin / bash是纯粹的FTP用户使用的正确shell，还是使用/ bin / false或不同的shell？


3. 默认情况下，useradd禁用帐户直到他们提供自己的密码，我该怎么绕过这个？


4. 我不想使用passwd实用程序，因为它削弱了我自动生成FTP帐户的能力，我找到了解决方案 here ，但我不明白解决方案

让我知道我是否正在进行这一切的错误，或者如果我想要做的事情是不可能的，或者如果我误解了我在这里陈述的任何事情。感谢您提供任何帮助。 ：D

解决方案

关于密码生成：

32.3加密密码

• 功能：char * crypt （ const char * key，const char * salt p>
  
  

  crypt 函数将一个密码 key 作为一个字符串，并将一个 salt 字符数组，如下所述，并返回一个可打印的ASCII字符串，该字符串以另一个salt开头。相信在给定函数的输出的情况下，找到将产生该输出的键的最佳方式是猜测键的值，直到原始值 key 被找到。

  
  
  

  盐参数做两件事。首先，它选择使用哪种算法，基于MD5的算法或基于DES的算法。其次，如果有人试图对包含许多密码的文件进行密码猜测，这会让生活更加艰难;如果没有盐，入侵者可以进行猜测，在其上运行 crypt 一次，并将结果与​​所有密码进行比较。使用盐，入侵者必须针对每种不同的salt运行 crypt 一次。
  
  

  对于基于MD5的算法，盐应该由字符串 $ 1 $ 组成，后跟最多8个字符，由另一个 $ 或字符串的结尾。如果salt不是以1结尾，那么crypt的结果将是 salt ，接着是 $ ，接着是字母表中的22个字符 ./ 0-9A-Za-z ，最多34个字符。 键中的每个字符都很重要。

  
  
  

  对于基于DES的算法，盐应该由两个来自字母 ./ 0-9A-Za-z 的字符以及 crypt 的结果将是这两个字符其次是来自同一字母表的11个，总共13个。只有键中的前8个字符是有意义的。

  
  
  

  基于MD5的算法对使用的密码的有用长度没有限制，并且稍微安全一些。因此，它优于基于DES的算法。

  
  
  

  当用户第一次输入密码时，盐应设置为一个新的字符串，该字符串是合理随机的。要根据先前调用crypt的结果来验证密码，请将前一次调用的结果作为盐进行传递。

根据您的系统，也可能有Blowfish或SHA-2系列 crypt s，传统的DES可能因安全而被禁用。 PAM可以在这里增加自己的复杂功能。

 
 ID |方法
 ------------------------------- 
 1 | MD5（Linux，BSD）
 2a | Blowfish（OpenBSD）
 md5 | Sun MD5 
 5 | SHA-256（Linux，自glibc 2.7以来）
 6 | SHA-512（Linux，自glibc 2.7以来）
 

这就是说，

 
 root＃useradd -d / -g users -p $（perl -e'print crypt（foo，aa）'）-M -N foo 
 user $ su  -  foo 
密码：foo 
 foo $ ^ D 
 root＃userdel foo 
 

---

关于shell：

/ sbin / nologin 对于登录禁用的用户来说是传统的。您必须仔细检查您的FTP守护进程的配置，以查看是否将它们排除在FTP访问之外。

---

关于禁用的帐户：

如上所示，如果给予工作密码，我可以像预期的那样工作。

---

关于其他解决方案：

您对备用解决方案有什么不了解？这看起来很清楚。

只需将用户名：密码输入 chpasswd 。

---

如果你想要FTP用户，我建议使用FTP守护进程，支持虚拟用户，如 glftpd ， Pure-FTPd ， ProFTPD ， vsftpd ，...实际上它似乎是所有常见的做的。这样，一个FTP帐户不需要真正的系统帐户。

I am working on what I thought was a very simple script to dynamically create an FTP user using 'useradd' There are several parts of this process I am unfamiliar with, and an entire day's research has not gotten me too far. Here is what I have:

password="pass"
pass=$(perl -e 'print crypt($ARGV[0], "wtf")' $password)
useradd -d HOME_DIR -s /bin/bash -g GROUP -p $pass -f -1 testing

Notes

1. HOME_DIR and GROUP are placeholders
2. I am not having issues with the home/base_dir (-d, -b) or group (-g) functionality of 'useradd'

Topics:

1. Why are my password generation efforts not working?
2. is /bin/bash the correct shell to use for a purely FTP user, or would I use /bin/false or a different shell?
3. By default, useradd disables an account until they provide their own password, how do I bypass this?
4. I do not want to use the passwd utility as it cripples my ability to automagically generate FTP accounts, I found a solution to this here, but I do not understand the solution

Let me know if I am going about this all wrong, or if what I am trying to do is not possible or if I am misinformed about anything I have stated herein. Thank you for any help you can provide. :D

解决方案

Regarding password generation:

32.3 Encrypting Passwords

• Function: char * crypt (const char *key, const char *salt)

  The crypt function takes a password, key, as a string, and a salt character array which is described below, and returns a printable ASCII string which starts with another salt. It is believed that, given the output of the function, the best way to find a key that will produce that output is to guess values of key until the original value of key is found.

  The salt parameter does two things. Firstly, it selects which algorithm is used, the MD5-based one or the DES-based one. Secondly, it makes life harder for someone trying to guess passwords against a file containing many passwords; without a salt, an intruder can make a guess, run crypt on it once, and compare the result with all the passwords. With a salt, the intruder must run crypt once for each different salt.

  For the MD5-based algorithm, the salt should consist of the string $1$, followed by up to 8 characters, terminated by either another $ or the end of the string. The result of crypt will be the salt, followed by a $ if the salt didn't end with one, followed by 22 characters from the alphabet ./0-9A-Za-z, up to 34 characters total. Every character in the key is significant.

  For the DES-based algorithm, the salt should consist of two characters from the alphabet ./0-9A-Za-z, and the result of crypt will be those two characters followed by 11 more from the same alphabet, 13 in total. Only the first 8 characters in the key are significant.

  The MD5-based algorithm has no limit on the useful length of the password used, and is slightly more secure. It is therefore preferred over the DES-based algorithm.

  When the user enters their password for the first time, the salt should be set to a new string which is reasonably random. To verify a password against the result of a previous call to crypt, pass the result of the previous call as the salt.

Depending on your system, there may also be Blowfish or SHA-2 family crypts as well, and it's possible that the traditional DES may be disabled for security. PAM can add its own complications in here too.

     ID       |    Method
  -------------------------------
     1        |  MD5 (Linux, BSD)
     2a       |  Blowfish (OpenBSD)
     md5      |  Sun MD5
     5        |  SHA-256 (Linux, since glibc 2.7)
     6        |  SHA-512 (Linux, since glibc 2.7)

That being said, the

root# useradd -d / -g users -p $(perl -e'print crypt("foo", "aa")') -M -N foo
user$ su - foo
Password: foo
foo$ ^D
root# userdel foo

works just fine on my system.

---

Regarding the shell:

/sbin/nologin is traditional for login-disabled users. You'll have to double-check your FTP daemon's configuration to see if that excludes them from FTP access.

---

Regarding the disabled account:

As seen above, works for me, as expected if given a working password.

---

About the other solution:

What don't you understand about the alternate solution? It seems very clear to me.

Just pipe "username:password" into "chpasswd".

---

If you want FTP-only users, I would recommend using a FTP daemon that supports virtual users like glftpd, Pure-FTPd, ProFTPD, vsftpd, ... actually it seems that all the common ones do. This way, an FTP account does not require a real system account.

这篇关于Useradd使用密码生成密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！