shell - 使用 crypt 密码生成的 Useradd

Question

我正在编写一个我认为非常简单的脚本，用于使用“useradd”动态创建 FTP 用户。这个过程中有几个部分我不熟悉，而且一整天的研究并没有让我走得太远。这是我所拥有的:

password="pass"
pass=$(perl -e 'print crypt($ARGV[0], "wtf")' $password)
useradd -d HOME_DIR -s /bin/bash -g GROUP -p $pass -f -1 testing

注释

1. HOME_DIR 和 GROUP 是占位符
2. 我对“useradd”的 home/base_dir(-d、-b)或组(-g)功能没有任何问题

主题:

1. 为什么我的密码生成工作不起作用？
2. /bin/bash 是纯 FTP 用户使用的正确 shell，还是我会使用/bin/false 或其他 shell？
3. 默认情况下，useradd 会禁用帐户，直到他们提供自己的密码为止，我该如何绕过此操作？
4. 我不想使用 passwd 实用程序，因为它会削弱我自动生成 FTP 帐户的能力，我找到了解决方案 here ，但我不明白解决方案

如果我的做法完全错误，或者我想做的事情不可能实现，或者我对此处所述的内容有误解，请告诉我。感谢您提供任何帮助。 :D

Answer 1

关于密码生成:

32.3 Encrypting Passwords

• Function: char * crypt (const char *key, const char *salt)

  The crypt function takes a password, key, as a string, and a salt character array which is described below, and returns a printable ASCII string which starts with another salt. It is believed that, given the output of the function, the best way to find a key that will produce that output is to guess values of key until the original value of key is found.

  The salt parameter does two things. Firstly, it selects which algorithm is used, the MD5-based one or the DES-based one. Secondly, it makes life harder for someone trying to guess passwords against a file containing many passwords; without a salt, an intruder can make a guess, run crypt on it once, and compare the result with all the passwords. With a salt, the intruder must run crypt once for each different salt.

  For the MD5-based algorithm, the salt should consist of the string $1$, followed by up to 8 characters, terminated by either another $ or the end of the string. The result of crypt will be the salt, followed by a $ if the salt didn't end with one, followed by 22 characters from the alphabet ./0-9A-Za-z, up to 34 characters total. Every character in the key is significant.

  For the DES-based algorithm, the salt should consist of two characters from the alphabet ./0-9A-Za-z, and the result of crypt will be those two characters followed by 11 more from the same alphabet, 13 in total. Only the first 8 characters in the key are significant.

  The MD5-based algorithm has no limit on the useful length of the password used, and is slightly more secure. It is therefore preferred over the DES-based algorithm.

  When the user enters their password for the first time, the salt should be set to a new string which is reasonably random. To verify a password against the result of a previous call to crypt, pass the result of the previous call as the salt.

根据您的系统，可能还存在 Blowfish 或 SHA-2 系列crypt，并且出于安全考虑，可能会禁用传统 DES。 PAM 也可以在这里添加自己的复杂性。

     ID       |    Method  -------------------------------     1        |  MD5 (Linux, BSD)     2a       |  Blowfish (OpenBSD)     md5      |  Sun MD5     5        |  SHA-256 (Linux, since glibc 2.7)     6        |  SHA-512 (Linux, since glibc 2.7)

话虽如此，

root# useradd -d / -g users -p $(perl -e'print crypt("foo", "aa")') -M -N foouser$ su - fooPassword: foofoo$ ^Droot# userdel foo

在我的系统上运行得很好。

<小时/>

关于 shell :

/sbin/nologin 对于无法登录的用户来说是传统的。您必须仔细检查 FTP 守护程序的配置，看看是否将它们排除在 FTP 访问之外。

<小时/>

关于被禁用的帐户:

如上所示，如果给定一个有效的密码，这对我来说是有效的。

<小时/>

关于其他解决方案:

您对替代解决方案有什么不明白的地方？我觉得很清楚。

只需将“用户名:密码”通过管道传输到“chpasswd”即可。

<小时/>

如果您想要仅限 FTP 的用户，我建议您使用支持虚拟用户的 FTP 守护程序，如 glftpd , Pure-FTPd , ProFTPD , vsftpd ，...实际上似乎所有常见的都是如此。这样，FTP 帐户不需要真正的系统帐户。