CentOSのパスワードは/etc/shadowに暗号化されて記録されていますが、この暗号化方式がデフォルトでmd5になっています
MD5 – ウィキペディア – Wikipedia
http://ja.wikipedia.org/wiki/MD5
ただ、このmd5方式はもう簡単に破られることができると言われているので変更してみました
ちなみにCentOS 6からはデフォルトでSHA-512方式が使われているようです
- 現在の暗号化方式の確認
- 暗号化方式をSHA-512に変更
- パスワード確認
- パスワード変更
- パスワード再確認
1 2 3 |
[root@host1 ~]# authconfig --test | grep password shadow passwords are enabled password hashing algorithm is md5 |
以下のコマンドでデフォルトの暗号化方式がmd5からSHA-512に変更になりますが、既存ユーザーに対してはmd5暗号化のままでパスワードが保存されています
1 |
[root@host1 ~]# authconfig --passalgo=sha512 --update |
$1はmd5化された暗号になります
1 2 |
[root@host1 ~]# grep matsuoka /etc/shadow matsuoka:$1$xxxxxxxxxxxxxxxxxxxxxx.1111:0:30:x::: |
1 2 3 4 5 |
[root@host1 ~]# passwd matsuoka Changing password for user matsuoka. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. |
$6がSHA-512になります
1 2 |
[root@ns ~]# grep matsuoka /etc/shadow matsuoka:$6$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/:22222:0:30:::: |
最初の$部分は暗号化方式の種類を表すのに使用されています
$1 – MD5
$2 – blowfish
$2a – eksblowfish
$5 – SHA-256
$6 – SHA-512
【参考】
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
AUTHCONFIG(8) AUTHCONFIG(8) NAME authconfig, authconfig-tui - an interface for configuring system authentication resources SYNOPSIS authconfig [--nostart] [--enablecache] [--disablecache] [--enablenis [--nisdomain domain] [--nisserver namelist] ] [--disablenis] [--enableshadow] [--disableshadow] [--enablemd5] [--disablemd5] [--enableldap [--enableldapauth] [--enableldaptls] [--ldapserver namelist] [--ldapbasedn basedn]] [--disableldap] [--disableldapauth] [--enablekrb5 [ --krb5realm realm ] [--krb5kdc namelist] [--krb5adminserver namelist] [--enablekrb5kdcdns] [--disablekrb5kdcdns] [--enablekrb5realmdns] [--dis- ablekrb5realmdns] ] [--disablekrb5] [--enablehesiod [--hesiodlhs lhs] [--hesiodrhs rhs] ] [--disablehesiod] [--enablesmbauth [--smbworkgroup workgroup] [--smbservers namelist]] [--disablesmbauth] [--enablewinbind [--enablewinbindauth] [--smbsecurity {user|server|domain|ads}] [--smbrealm realm] [--smbidmapuid=range] [--smbidmapgid=range] [--win- bindseparator=\] [--winbindtemplateprimarygroup=group] [--winbindtemplatehomedir=directory] [--winbindtem- plateshell=path] ] [--disablewinbind] [--disablewinbindauth] [--enablewinbindusedefaultdomain] [--disablewinbindusedefaultdomain] [--winbindjoin admin] [--enablewins] [--disablewins] {--test|--update|--probe} DESCRIPTION authconfig provides a simple method of configuring /etc/sysconfig/net- work to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided. If --test action is specified, authconfig can be run by users other then root, and any configuration changes are not saved but printed instead. If --update action is specified, authconfig must be run by root (or through console helper), and configuration changes are saved. The --probe action instructs authconfig to use DNS and other means to guess at configuration information for the current host, print its guesses if it finds them to standard output, and exit. If --nostart is specified (which is what the install program does), ypbind or other daemons will not be started or stopped immediately fol- lowing program execution, but only enabled to start or stop at boot time. The --enablenis, --enableldap, --enablewinbind, and --enablehesiod options are used to configure user information services in /etc/nsswitch.conf, the --enablecache option is used to configure nam- ing services caching, and the --enableshadow, --enablemd5, --enablelda- pauth, --enablekrb5, --enablewinbindauth, and --enablesmbauth options are used to configure authentication functions via /etc/pam.d/system- auth. Each --enable has a matching --disable option that disables the service if it is already enabled. The respective services have parame- ters which configure their server names etc. The algorithm used for storing new password hashes can be specified by the --passalgo option which takes one of the following possible values as a parameter: descrypt, bigcrypt, md5, sha256, and sha512. The --enablelocauthorize option allows to bypass checking network authentication services for authorization and the --enablesysnetauth allows authentication of system accounts (with uid < 500) by these ser- vices. The list of options mentioned here in the manual page is not exhaus- tive, please refer to authconfig --help for the complete list of the options. The authconfig-tui supports all options of authconfig but it implies --update as the default action. Its window contains a Cancel button by default. If --back option is specified at run time, a Back button is presented instead. If --kickstart is specified, no interactive screens will be seen. The values the program will use will be those specified by the other options (--passalgo, --enableshadow, etc.). For namelistyou may substitute either a single name or a comma-sepa- rated list of names. NOTES The authconfig-tui is deprecated. No new configuration settings will be supported by its text user interface. Use system-config-authentication GUI application or the command line options instead. RETURN CODES authconfig returns 0 on success, 2 on error. authconfig-tui returns 0 on success, 2 on error, and 1 if the user can- celled the program (by using either the Cancel or Back button). FILES /etc/sysconfig/authconfig Used to track whether or not particular authentication mechanisms are enabled. Currently includes variables named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH, USESM- BAUTH, USEWINBIND, USEWINBINDAUTH, USEHESIOD, USENIS, USELDAP, and others. /etc/passwd, Used for shadow password support. /etc/yp.conf Configuration file for NIS support. /etc/sysconfig/network Another configuration file for NIS support. /etc/ldap.conf /etc/openldap/ldap.conf Used to configure LDAP (and OpenLDAP, respectively). /etc/krb5.conf Used to configure Kerberos 5. /etc/krb.conf Used to configure Kerberos IV (write-only). /etc/hesiod.conf Used to configure Hesiod. /etc/pam_smb.conf Used to configure SMB authentication. /etc/samba/smb.conf Used to configure winbind authentication. /etc/nsswitch.conf Used to configure user information services. /etc/pam.d/system-auth Common PAM configuration for system services which include it using the include directive. It is created as symlink and not relinked if it points to another file. /etc/pam.d/system-auth-ac Contains the actual PAM configuration for system services and is the default target of the /etc/pam.d/system-auth symlink. If a local configuration of PAM is created (and symlinked from system-auth file) this file can be included there. SEE ALSO passwd(5), shadow(5), pwconv(1), domainname(1), ypbind(8), nss- witch.conf(5), smb.conf(5) AUTHORS Nalin Dahyabhai <nalin@redhat.com>, Preston Brown <pbrown@redhat.com>, Matt Wilson <msw@redhat.com>, Tomas Mraz <tmraz@redhat.com> 4th Berkeley Distribution 5 December 2005 AUTHCONFIG(8) |