用户反馈使用密码无法正常登录,提示“Permission Denied”,需要重置密码后才能正常,而相同的密码在一个月前能正常登录,一共有两台实例有这样的现象。



- SSH server配置问题
- 服务器密码被改动过或者密码相关配置文件被改动过
- 通过远程或者VNC的方式键入密码传递到系统内时候发生了变动
- 记错密码

1. 实际查看/etc/ssh/sshd_conf配置文件,发现是保持的默认配置,没有异常改动。
2. 有快照的前提下,尝试修改密码/重置密码,之后再登录发现可以正常登录。

我们知道密码加密后的口令存储在/etc/shadow文件里,那么我们来看一下/etc/shadow文件里的口令存储形式,以CentOS 7.2为例:

  • User login name
  • salt and hashed password OR a status exception value e.g.:
    • "$id$salt$hashed", the printable form of a password hash as produced by crypt (C), where "$id" is the algorithm used. (On GNU/Linux, "$1$" stands for MD5, "$2a$" is Blowfish, "$2y$" is Blowfish (correct handling of 8-bit chars), "$5$" is SHA-256 and "$6$" is SHA-512, other Unix may have different values, like NetBSD. Key stretching is used to increase password cracking difficulty, using by default 1000 rounds of modified MD5, 64 rounds of Blowfish, 5000 rounds of SHA-256 or SHA-512. The number of rounds may be varied for Blowfish, or for SHA-256 and SHA-512 by using e.g. "$6$rounds=50000$".
    • Empty string – No password, the account has no password (reported by passwd on Solaris with "NP").
    • "!" – the account is password locked, user will be unable to log in via password authentication but other methods (e.g. ssh key) may be still allowed.
    • "*LK*" or "*" – the account is locked, user will be unable to log in via password authentication but other methods (e.g. ssh key) may be still allowed.
    • "!!" – the password has never been set (RedHat)
  • Days since epoch of last password change
  • Days until change allowed
  • Days before change required
  • Days warning for expiration
  • Days before account inactive
  • Days since epoch when account expires
         ID  | Method
─────────────────────────────────────────────────────────           1   | MD5           2a | Blowfish (not in mainline glibc; added in some Linux distributions)           5   | SHA-256 (since glibc 2.7)           6   | SHA-512 (since glibc 2.7)
RHEL 6 and newer - python • Execute the following one-liner: $ python -c 'import crypt,getpass; print crypt.crypt(getpass.getpass())' Password: $6$Q3dbIWgPMCVBpRZK$QSw1cG41FImM0E8B.Hpx1G8eZGqHALzGg75LLAt.MkFZtVma3MHRGBpFSrXEEdVHwySr8B0JfXAgLHgmpSViI0
In short, the above will prompt for input and then interface with python's implementation of the standard crypt() function, generating a shadow-compatible hash by choosing a random salt and the strongest hash method available (SHA-512) • For documentation, do as the following demonstrates $ python Python 2.6.6 (r266:84292, May 1 2012, 13:52:17) [GCC 4.4.6 20110731 (Red Hat 4.4.6-3)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
import crypt help(crypt)
RHEL 5 and newer - perl • Execute the following one-liner: $ perl -le 'print "Password:"; stty -echo; chomp($passphrase=); stty echo; @chars = ("a".."z", "A".."Z", 0..9, ".", "/"); $salt .= $chars[rand @chars] for 1..16; print crypt($passphrase, "$6$$salt");' Password: $6$RDGTu1VHQPH2NLpw$no4LMowmxaJogzYoIUdsfi7pfTz2EtzN//oRmEe12AEWc2h6NPoQwrWA4KYe4W0OSAUaBLOG8K59kzENV2bvY0 • Notes on the above perl code: ○ This code was tested by the author on RHEL 5 - RHEL 7; however, it is offered without any guarantees or warranty (to use it, ensure the quotation marks and backslashes are kept intact) ○ This code generates a SHA512-hashed password string; to use SHA256 instead, change the maroon-colored $6 to a $5

# cat /mnt/etc/shadow root:$6$D9.mVsWm$W9XlxzRHWU6B6KFNaPZQPCkXF0GrL.Cq.zzx2H24qaDC4bphDFZqZtD5G.t1Rz1cegl2tyQAdx9W6iBoJTANc.:17013:0:99999:7::: # python -c 'import crypt; printcrypt.crypt("Spidermanwsx123","$6$D9.mVsWm")' $6$D9.mVsWm$Y8rVe1915SlIkdwOloHhFedpW2MZ7xYOYHy69jXOoZqyodDm5WJOBP4P/EeLP1BjJlibHwovaHqawTWD05c6o1
