登录密码是否保存在机器上或仅保存密码的哈希版本？

Perman shadow解释了如何为用户存储密码：

   encrypted password
       This field may be empty, in which case no passwords are required to
       authenticate as the specified login name. However, some
       applications which read the /etc/shadow file may decide not to
       permit any access at all if the password field is empty.

       A password field which starts with an exclamation mark means that
       the password is locked. The remaining characters on the line
       represent the password field before the password was locked.

       Refer to crypt(3) for details on how this string is interpreted.

       If the password field contains some string that is not a valid
       result of crypt(3), for instance ! or *, the user will not be able
       to use a unix password to log in (but the user may log in the
       system by other means).

因此，man 3 crypt我们看到这解释了加密：

DESCRIPTION
     The crypt, crypt_r, crypt_rn, and crypt_ra functions irreversibly 
     “hash” phrase for storage in the system password database (shadow(5)) 
     using a cryptographic “hashing method.” The result of this operation 
     is called a “hashed passphrase” or just a “hash.” Hashing methods are 
     described in crypt(5).

接下来，我们看一下man 5 crypt：

DESCRIPTION
     The hashing methods implemented by crypt(3) are designed only to process user 
     passphrases for storage and authentication; they are not suitable for use as 
     general-purpose cryptographic hashes.

     Passphrase hashing is not a replacement for strong passphrases.  It is always 
     possible for an attacker with access to the hashed passphrases to guess and check 
     possible cleartext passphrases.  However, with a strong hashing method, guessing will 
     be too slow for the attacker to discover a strong passphrase.

     All of the hashing methods use a “salt” to perturb the hash function, so that the 
     same passphrase may produce many possible hashes.  Newer methods accept longer 
     salt strings.  The salt should be chosen at random for each user.  Salt defeats a 
     number of attacks:

     1.   It is not possible to hash a passphrase once and then test it against each 
          account's stored hash; the hash calculation must be repeated for each account.

     2.   It is not possible to tell whether two accounts use the same passphrase without 
          successfully guessing one of the phrases.

     3.   Tables of precalculated hashes of commonly used passphrases must have an entry 
          for each possible salt, which makes them impractically large.

     All of the hashing methods are also deliberately engineered to be slow; they use many 
     iterations of an underlying cryptographic primitive to increase the cost of each 
     guess.  The newer hashing methods allow the number of iterations to be adjusted, 
     using the “CPU time cost” parameter to crypt_gensalt(3).  This makes it possible to 
     keep the hash slow as hardware improves.

通过跟踪此链（man shadow到man 3 crypt到man 5 crypt），我们可以看到密码存储/etc/shadow在加盐哈希密码。有许多可用的哈希机制和方法，因此您必须深入研究手册页以真正解释数据，从而/etc/shadow确定您的环境中默认使用哪种哈希机制。

除了散列/加盐密码外，还有一些密码以纯文本形式存储，其他人无法读取。

例如~/.netrc：

• .netrc文件应位于您的主目录中，并且必须设置文件的权限，以便您是唯一可以读取该文件的用户，即其他任何人都无法读取。它应至少设置为读（400）， 或者读/写（600）。

对于希望避免使用哈希算法管理密码的复杂性的小型开发人员，~/.netrc可以考虑该方法。该方法用于 SSH 自动登录远程服务器。