chpasswd批量更新使用者口令
阿新 • • 發佈:2018-12-20
chpasswd - update passwords in batch mode
man 檢視幫助文件,輸入:man chpasswd
CHPASSWD(8) System Management Commands CHPASSWD(8) NAME chpasswd - update passwords in batch mode SYNOPSIS chpasswd [options] DESCRIPTION The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users. Each line is of the format: user_name:password By default the passwords must be supplied in clear-text, and are encrypted by chpasswd. Also the password age will be updated, if present. The default encryption algorithm can be defined for the system with the ENCRYPT_METHOD or MD5_CRYPT_ENAB variables of /etc/login.defs, and can be overwitten with the -e, -m, or -c options. chpasswd first updates all the passwords in memory, and then commits all the changes to disk if no errors occured for any user. This command is intended to be used in a large system environment where many accounts are created at a single time. OPTIONS The options which apply to the chpasswd command are: -c, --crypt-method METHOD Use the specified method to encrypt the passwords. The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods. By default (if none of the -c, -m, or -e options are specified), the encryption method is defined by the ENCRYPT_METHOD or MD5_CRYPT_ENAB variables of /etc/login.defs. -e, --encrypted Supplied passwords are in encrypted form. -h, --help Display help message and exit. -m, --md5 Use MD5 encryption instead of DES when the supplied passwords are not encrypted. -R, --root CHROOT_DIR Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory. -s, --sha-rounds ROUNDS Use the specified number of rounds to encrypt the passwords. The value 0 means that the system will choose the default number of rounds for the crypt method (5000). A minimal value of 1000 and a maximal value of 999,999,999 will be enforced. You can only use this option with the SHA256 or SHA512 crypt method. By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs. CAVEATS Remember to set permissions or umask to prevent readability of unencrypted files by other users. CONFIGURATION The following configuration variables in /etc/login.defs change the behavior of this tool: ENCRYPT_METHOD (string) This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line). It can take one of these values: DES (default), MD5, SHA256, SHA512. Note: this parameter overrides the MD5_CRYPT_ENAB variable. MD5_CRYPT_ENAB (boolean) Indicate if passwords must be encrypted using the MD5-based algorithm. If set to yes, new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings. Set to no if you need to copy encrypted passwords to other systems which don´t understand the new algorithm. Default is no. This variable is superseded by the ENCRYPT_METHOD variable or by any command line option used to configure the encryption algorithm. This variable is deprecated. You should use ENCRYPT_METHOD. SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number) When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line). With a lot of rounds, it is more difficult to brute forcing the password. But note also that more CPU resources will be needed to authenticate users. If not specified, the libc will choose the default number of rounds (5000). The values must be inside the 1000-999,999,999 range. If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used. If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used. FILES /etc/passwd User account information. /etc/shadow Secure user account information. /etc/login.defs Shadow password suite configuration. SEE ALSO passwd(1), newusers(8), login.defs(5), useradd(8).
- chpasswd 是一個批量更新使用者口令的命令
- chpasswd 會從標準輸入批量讀取成對的使用者名稱和密碼,並使用這些資訊來更新現有的一組
使用者 - 從標準輸入讀取的每行資料格式應為 username:password 即使用者名稱和密碼用冒號分隔開
- 預設情況下所提供的密碼必須是明文,並通過chpasswd進行加密
- chpasswd 首先在記憶體中更新密碼,在沒有任何錯誤的情況下才會將更改的密碼更新到磁碟中
- chpasswd 的應用場景主要是在一個比較大的系統環境下,同一時間建立了多個使用者的情況
- 預設的加密演算法可以通過修改/etc/login.defs中ENCRYPT_METHOD變數的值(預設值SHA512),可以通過-e,-m,-c選項覆蓋預設的加密演算法
常用選項如下:
-c 使用指定的方法來加密密碼,可用的方法是DES、MD5、NONE、SHA512(前提是你的系統支援這些加密演算法)
-e 輸入的密碼是加密後的密碼
-m 當提供的密碼沒有加密時,使用MD5代替DES加密
-s 使用指定的rounds數值加密密碼(SHA加密演算法)- 如果指定的數值為0將使用預設的rounds數值5000
- 數值的範圍在1000到999999999之間
- 可以使用-s引數跟上SHA256或SHA512
- 預設的最小和最大rounds定義在/etc/login.defs檔案的SHA_CRYPT_MIN_ROUNDS和SHA_CRYPT_MAX_ROUNDS變數中
配置說明:下面列出的所有配置項都可以通過修改/etc/login.defs中的配置來生效
ENCRYPT_METHOD 該值定義了chpasswd預設的加密演算法,該變數的值可以定義為:DES(預設)、MD5、SHA256、SHA512
SHA_CRYPT_MIN_ROUNDS 當ENCRYPT_METHOD的值定義為SHA256或SHA512時,將使用該變數的值作為SHA加密演算法的最小rounds值
SHA_CRYPT_MAX_ROUNDS 當ENCRYPT_METHOD的值定義為SHA256或SHA512時,將使用該變數的值作為SHA加密演算法的最大rounds值基本使用:
[[email protected] ~]# useradd chtest
[[email protected] ~]# chpasswd
chtest:123456
[[email protected] ~]# echo "chtest:123456" > passwd.txt
[[email protected] ~]# chpasswd < passwd.txt