gpasswd
舞夕之 发表于 2020-07-05 08:18浏览次数:
在类Unix的操作系统上,gpasswd命令编辑组的密码。
组密码存储在/etc/Group和/etc/gshadow中。/etc/Group包含组信息,/etc/gshadow包含组信息的加密版本。
On Unix-like operating systems, the gpasswd command edits the passwords of groups.
Group passwords are stored in the files /etc/group and /etc/gshadow./etc/group contains group information, and /etc/gshadow contains encrypted versions of the group information.
目录:
1 gpasswd 运行系统环境
2 gpasswd 语法
3 gpasswd 示例
gpasswd 运行系统环境
gpasswd 语法
gpasswd [option] group
选项
(除了-A和-M选项,以下选项不能合并。)
|
将用户添加到命名组。
|
-d, --delete user
|
从命名组中删除用户。
|
-h,--help
|
显示帮助消息并退出。
|
-Q,--root CHROOT_DIR
|
在应用更改CHROOT_DIR目录,并从使用配置文件CHROOT_DIR目录。
|
-r, --remove-password group
|
从命名组中删除密码。组密码将为空。仅允许组成员使用newgrp加入命名组。
|
-R,-- restrict group
|
限制对命名组的访问。组密码设置为“ ! ”。只有具有密码的组成员才能被允许使用newgrp加入命名组。
|
-A,-- administrators 用户, ...
|
设置管理用户列表。
|
-M, --members user,...
|
设置组成员列表。
|
结构
在下面的配置变量/etc/login.defs的改变的行为gpasswd:
名称
|
类型
|
描述
|
ENCRYPT_METHOD
|
string
|
这定义了用于加密密码的系统默认加密算法(如果在命令行上未指定算法)。
它可以采用以下值之一:DES(默认值),MD5,SHA256和SHA512。
此参数将覆盖MD5_CRYPT_ENAB变量。
注意:这仅影响组密码的生成。用户密码的生成由PAM完成,并受制于PAM配置。建议将此变量设置为与PAM配置一致。
|
MAX_MEMBERS_PER_GROUP
|
number
|
每个组条目的最大成员数。当达到最大值时,将在/ etc / group中启动一个新的组条目(行)(具有相同的名称,相同的密码和相同的GID)。
默认值为0,表示组中的成员数量没有限制。
此功能(拆分组)允许限制组文件中的行长。确保NIS组的行不超过1024个字符非常有用。
如果您需要强制执行此限制,则可以使用25。
注意:并非所有工具都支持拆分组(即使在Shadow工具套件中也是如此)。除非确实需要,否则不应使用此变量。
|
MD5_CRYPT_ENAB
|
boolean
|
指明是否必须使用基于MD5的算法对密码进行加密。如果设置为yes,将使用与最新版本的FreeBSD兼容的基于MD5的算法对新密码进行加密。它支持无限长度和更长盐字符串的密码。如果您需要将加密的密码复制到其他不了解新算法的系统,请设置为no。默认值为no。
该变量由ENCRYPT_METHOD变量或用于配置加密算法的任何命令行选项所取代。
不建议使用此变量。您应该改为使用ENCRYPT_METHOD。
注意:这仅影响组密码的生成。用户密码的生成由PAM完成,并受制于PAM配置。建议将此变量设置为与PAM配置一致。
|
SHA_CRYPT_MIN_ROUNDS或SHA_CRYPT_MAX_ROUNDS
|
number
|
当ENCRYPT_METHOD设置为SHA256或SHA512时,这将定义默认情况下加密算法使用的SHA轮数(当未在命令行上指定轮数时)。经过很多回合,暴力破解密码更加困难。但也请注意,将需要更多的CPU资源来验证用户身份。
如果未指定,libc将选择默认的回合数(5000)。
值必须在1000-999,999,999范围内。
如果仅设置SHA_CRYPT_MIN_ROUNDS或SHA_CRYPT_MAX_ROUNDS值之一,则将使用此值。
如果SHA_CRYPT_MIN_ROUNDS大于SHA_CRYPT_MAX_ROUNDS,将使用最大值。
注意:这仅影响组密码的生成。用户密码的生成由PAM完成,并受制于PAM配置。建议将此变量设置为与PAM配置一致。
|
gpasswd [option] group
Options
(Except for the -A and -M options, the following options cannot be combined.)
-a, --add user
|
Add user to the named group.
|
-d, --delete user
|
Remove user from the named group.
|
-h, --help
|
Display help message and exit.
|
-Q, --root CHROOT_DIR
|
Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
|
-r, --remove-password group
|
Remove the password from the named group. The group password will be empty. Only group members will be allowed to use newgrp to join the named group.
|
-R, --restrict group
|
Restrict the access to the named group. The group password is set to "!". Only group members with a password will be allowed to use newgrp to join the named group.
|
-A, --administratorsuser,...
|
Set the list of administrative users.
|
-M, --members user,...
|
Set the list of group members.
|
Configuration
The following configuration variables in /etc/login.defs change the behavior of gpasswd:
name
|
type
|
description
|
ENCRYPT_METHOD
|
string
|
This defines the system default encryption algorithm for encrypting passwords (if no algorithm is specified on the command line).
It can take one of these values: DES(default), MD5, SHA256, SHA512.
This parameter overrides the MD5_CRYPT_ENAB variable.
Note: This only affect the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM configuration. It is recommended to set this variable consistently with the PAM configuration.
|
MAX_MEMBERS_PER_GROUP
|
number
|
Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name, same password, and same GID).
The default value is 0, meaning that there are no limits in the number of members in a group.
This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS groups are not larger than 1024 characters.
If you need to enforce such limit, you can use 25.
Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really need it.
|
MD5_CRYPT_ENAB
|
boolean
|
Indicate if passwords must be encrypted using the MD5-based algorithm. If set to yes, new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings. Set to no if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default value is no.
This variable is superseded by the ENCRYPT_METHOD variable or by any command line option used to configure the encryption algorithm.
This variable is deprecated. You should use ENCRYPT_METHOD instead.
Note: This only affects the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM configuration. It is recommended to set this variable consistently with the PAM configuration.
|
SHA_CRYPT_MIN_ROUNDSor SHA_CRYPT_MAX_ROUNDS
|
number
|
When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line). With a lot of rounds, it is more difficult to brute forcethe password. But note also that more CPU resources will be needed to authenticate users.
If not specified, the libc will choose the default number of rounds (5000).
The values must be inside the 1000—999,999,999 range.
If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.
If SHA_CRYPT_MIN_ROUNDS is greater than SHA_CRYPT_MAX_ROUNDS, the highest value will be used.
Note: This only affects the generation of group passwords. The generation of user passwords is done by PAM and subject to the PAM configuration. It is recommended to set this variable consistently with the PAM configuration.
|
gpasswd 示例
gpasswd -a mozart musicians
将用户莫扎特添加到音乐家组。
gpasswd -A george mathematicians
向用户george授予组数学家的管理权限。
希望洋基队
从洋基队中移除用户希望。
gpasswd -a mozart musicians
Adds the user mozart to the group musicians.
gpasswd -A george mathematicians
Give user george administrative rights to the group mathematicians.
gpasswd -d hope yankees
Remove user hope from the group yankees.