BSD HACKS 摘录(一)
网上没下载到中文版的,所以只能拿英文版的做一下摘记吧。
Let’s start with the copyright information. That’s this part of the default login process:
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
To prevent users from seeing this information, simply:
# touch /etc/COPYRIGHT
Technically, you could add your own information to /etc/COPYRIGHT instead of leaving it as an
empty file. However, it is common practice to put your information in /etc/motd instead. The
default /etc/motd contains very useful information to the new user, but it does get rather old
after a few hundred logins.
You can edit /etc/motd to say whatever suits your purposes—anything from your favorite sci-fi
excerpt to all the nasty things that will happen to someone if they continue to try to log into
your system. Here’s a very simple example:
# more /etc/motd
*********************************************************
***** Authorized users only!! *****
*********************************************************
You’ll note that after you customize your motd, users will still see this text prepended to it:
FreeBSD 5.1-RELEASE (GENERIC) #0: Thu Jun 5 02:55:42 GMT 2003
If you don’t want to advertise your operating system version and kernel information, you’ll need
one more hack. Add this line to /etc/rc.conf:
update_motd=”NO”
If you’re using FreeBSD 5.x, you no longer have to reboot or go into single-user mode to
initialize a change to /etc/rc.conf. Instead, you can use one of the many scripts available in
/etc/rc.d. Let’s see if there’s a script that deals with motd:
# ls -F /etc/rc.d | grep motd
motd*
Excellent. Let’s see what syntax that command expects:
# /etc/rc.d/motd
Usage: /etc/rc.d/motd [fast|force](start|stop|restart|rcvar)
Parameters in square brackets are optional, whereas parameters in parentheses are mandatory.
Notice each option is separated by the or symbol (|), meaning you just pick one out of the list.
In our case, we want to use the rcvar parameter. This will tell the motd script to reread its
setting in /etc/rc.conf:
# /etc/rc.d/motd rcvar
# motd
$update_motd=NO
To use Blowfish, start by opening up /etc/login.conf in your favorite editor. Look for this line:
:passwd_format=md5:\
Carefully edit it so it looks like this:
:passwd_format=blf:\
Check for typos before saving your change.
You may have noticed this comment when you modified /etc/login.conf:
# Remember to rebuild the database after each change to this file:
#
# cap_mkdb /etc/login.conf
#
Let’s take a closer look at what we’re being asked to do. According to that comment, login.conf
is more than a configuration file, it is a database. Not only that, it is a capability database,
a database that supports different capabilities. That is the reason behind the weird syntax
within login.conf. Whenever you edit a capability database, you have to use the cap_mkdb command
to integrate your changes within the database.
So, follow the directions:
# cap_mkdb /etc/login.conf
If you have any existing users, you need to convert their passwords from MD5 to Blowfish. This is
why it’s a good idea to make the change before you create your users.
If you’ve already created users, it’s back to the password database to find all of the active
accounts. Inactive accounts—accounts that don’t allow logins—have the * character instead of an
encrypted password. Since we want to find all of the lines in the password database that do not
contain an asterisk, we need an inverted grep:
# grep -v ‘*’ /etc/master.passwd
root:$1$ywXbyPT/$GC8tXN91c.lsKRpLZori61:0:0::0:0:Charlie &:/root:/bin/csh
dru:$1$GFm1nh6I$jh3v4I.QNf450ARgltZU5.:1008:0::0:0:User &:/home/dru:/bin/csh
Well, that worked, but we could make the output look much prettier:
# grep -v ‘*’ /etc/master.passwd | cut -d ‘:’ -f 1
root
dru
Let’s pick apart that command syntax. grep -v creates a reverse filter. In effect, it says, “Show
me the lines in /etc/master.passwd that do not contain an *.” Since those lines are long and
contain much more than just the username, I piped the output to the cut utility to literally cut
out the portions I don’t need to see. Notice that the usernames are the very first thing in each
line, and they are always followed by the : field separator. -d tells cut to consider the colon
character, not the tab character, as the separator. -f 1 tells cut that I’m interested in the
very first field of that line.
It looks like my particular system has two active accounts: root and dru. Notice in the original
output the long sequence of characters that starts with $1 and ends with :. No, my users’
passwords aren’t quite that complex. Rather, you’re seeing the password after it’s been encrypted
by the MD5 algorithm. That $1 means MD5. It’ll be $2 after we switch to Blowfish encryption. (Be
aware that you can’t edit the file directly; the entire password must be changed.)
I’ll now change those two passwords:
# passwd dru
Changing local password for dru
New Password:
Retype New Password:
# passwd
Changing local password for root
New Password:
Retype New Password:
Note that the superuser can change any user’s password by specifying the appropriate username. If
you don’t specify a name, you will instead change the root password.
When you’re finished, repeat the original grep -v command and double-check that all of the
encrypted passwords now start with $2.
Finally, configure the adduser utility to use Blowfish whenever you create a new user by editing
/etc/auth.conf. Look for this line:
# crypt_default = md5 des
and carefully change it to:
crypt_default = blf
Once you’ve saved your change, test it by creating a new user. The easiest way to do this is to
type adduser and follow the prompts.
