Safe ways to change passwords: multiple ways to avoid interaction

Regularly changing the password of the system is a very important security common sense. Generally, we use commands such as passwduser to change user passwords. However, this will enter the interactive mode, although it is not very convenient to use scripts in batches. Unless you use software like expect to change the password, do you need to install a separate software package to change the password? No, we may have many other ways to avoid interaction. Let’s write down the specific implementation method in detail:

The first type:

echo "123456"|passwd--stdinroot

Advantages: Convenient and fast

Disadvantages: If the command you enter can be captured by others through history or other methods, this method is very unsafe redflag linux. More importantly, if the password contains both single colons and double colons, it will not be possible. Change in these ways.

Description:

Change Linux passwords in batches passwd--stdinuser reads passwords from standard input, so users can use methods such as echoNewPasswd|passwd--stdinusername in scripts to batch change passwords. However, in some other distributions (such as Debian/Suse) The passwd provided does not support the --stdin parameter

The second type:

a. First write the username and password together into a temporary file.

catchpass.txt

root:123456

zhaohang:123456

b. Use the following command to change the user password:

chpasswd

c. You can use 123456 to log in to the system and the password has been changed.

Advantages: You can change multiple user passwords quickly and easily

Disadvantages: Writing plain text passwords in files has always become insecure, and prevents the first change form from having special string passwords.

The third type:

a. Use opensslpasswd-1 to generate the user password and write it into the file together with the user name.

catchpass.txt

root:$1$ri2hceVU$WIf.firUBn97JKswK9ExO0

zhaohang:$1$i/Gou7.v$Bh2K6sXmxV6/UCxJz8N7b.

b. Use the following command to change the user password:

chpasswd-e

c. You can use 123456 to log in to the system and the password has been changed.

Advantages: You can change multiple user passwords quickly and easily

Disadvantages: Compared with the previous two, security is greatly improved

Additional introduction:

The opensslpasswd-1 command can output the password on the shadow. Change the secret string generated by this command to the password in your shadow. Then you can log in with the password you generated when you logged in to the system last time. Use this command, Although the password is the same, the password string generated by multiple executions is also different. The password corresponding to that hash value is completely random and 28 bits long based on a 64-bit character encoding, so it is very difficult to crack it without creating an account using the hash value that has been published, even though the password file is published. It's also relatively safe. Using old unix hashes removes the -1 parameter.

[root@WEB01~]#opensslpasswd-1

Password:123456

Verifying-Password:123456

$1$ri2hceVU$WIf.firUBn97JKswK9ExO0

You can also use the following command to generate it directly:

[root@WEB01~]#opensslpasswd-1123456

[root@WEB01~]#opensslpasswd-1-salt"yoctor"123456

You can enter whatever you want for the salt in the command inside

Since the password cipher text is encrypted by MD5 when setting the password Linux batch modification extension , when forming the hash value, the system will add salt to the cipher text and the cipher text cannot be reversely deciphered.

When passwd is encrypted, the salt added by the system is the time

Start the script on RedhatRedflagcentosfclinux system

Sequentially:

Step 1: Start vmlinuz through /boot/vm

Step 2: init/etc/inittab

Step 3: Start the corresponding scriptLinux to batch modify extensions, and open the terminal

rc.sysinit

rc.d (the script above)

rc.local

Step 4: Start the login interface to log in

Step 5: The order of executing the sh script when the user logs in: It will be fully executed every time the user logs in

/etc/profile.d/file

/etc/profile

/etc/bashrc

/root/.bashrc

/root/.bash_profile

//

Since there are no chpasswd and useradd commands in embedded systems, and some versions of the first method do not support --stdin, the following method can be used instead

Add the following linux vps to /etc/profile, you can enter the normal user civintec after booting, instead of logging in as root by default

passwdroot

The above is the detailed content of Safe ways to change passwords: multiple ways to avoid interaction. For more information, please follow other related articles on the PHP Chinese website!