ProHoster > Блог > Gudanarwa > Ƙirƙirar Manufar Kalmar wucewa a cikin Linux

Ƙirƙirar Manufar Kalmar wucewa a cikin Linux

Sannu kuma! A gobe ne za a fara karatu a sabon rukunin kwas "Linux Administrator", game da wannan, muna buga labarin mai amfani a kan batun.

Ƙirƙirar Manufar Kalmar wucewa a cikin Linux

A cikin koyaswar da ta gabata mun gaya muku yadda ake amfani da su pam_cracklibdon sanya kalmomin shiga akan tsarin su zama masu rikitarwa Jar hula 6 ya da CentOS. A cikin Red Hat 7 pam_pwquality maye gurbinsu cracklib kamar yadda pam tsoho module don duba kalmomin shiga. Module pam_pwquality Hakanan ana tallafawa akan Ubuntu da CentOS, da sauran OSes da yawa. Wannan tsarin yana sauƙaƙe ƙirƙirar manufofin kalmar sirri don tabbatar da cewa masu amfani sun karɓi ƙa'idodin ƙarfin kalmar sirrinku.

Na dogon lokaci, hanyar gama gari ga kalmomin shiga ita ce tilasta wa mai amfani yin amfani da manyan haruffa, ƙananan haruffa, lambobi, ko wasu alamomi. Waɗannan ƙa'idodin ƙa'idodin ƙayyadaddun kalmar sirri an haɓaka su sosai cikin shekaru goma da suka gabata. An yi ta tattaunawa da yawa game da ko wannan al'ada ce mai kyau ko a'a. Babban gardama game da kafa irin waɗannan yanayi masu sarƙaƙƙiya shine masu amfani da su rubuta kalmomin shiga a kan takarda da adana su cikin rashin tsaro.

Wata manufar da kwanan nan aka yi tambaya kan tilasta masu amfani da su canza kalmomin shiga kowane kwanaki x. An yi wasu bincike da suka nuna cewa hakan ma yana da illa ga aminci.

An yi rubuce-rubuce da yawa a kan batun waɗannan tattaunawa, waɗanda ke tabbatar da ra'ayi ɗaya ko wata. Amma ba wannan ba ne abin da za mu tattauna a wannan talifin. Wannan labarin zai yi magana game da yadda ake saita sarkar kalmar sirri daidai maimakon sarrafa manufofin tsaro.

Saitunan Manufofin kalmar wucewa

A ƙasa zaku ga zaɓuɓɓukan manufofin kalmar sirri da taƙaitaccen bayanin kowanne. Yawancin su suna kama da sigogi a cikin tsarin cracklib. Wannan hanyar tana ba da sauƙin jigilar manufofin ku daga tsarin gado.

  • difok - Adadin haruffa a cikin sabon kalmar sirrin da bai kamata ya kasance a cikin tsohuwar kalmar sirrinku ba. (Default 5)
  • minlen – Mafi ƙarancin tsawon kalmar sirri. (Default 9)
  • ucredit - Matsakaicin adadin ƙididdigewa don amfani da manyan haruffa (idan siga> 0), ko mafi ƙarancin adadin da ake buƙata na manyan haruffa (idan siga <0). Default shine 1.
  • kredit - Matsakaicin adadin ƙididdigewa don amfani da ƙananan haruffa (idan siga> 0), ko mafi ƙarancin adadin da ake buƙata na ƙananan haruffa (idan siga <0). Default shine 1.
  • dcredit - Matsakaicin adadin ƙididdiga don amfani da lambobi (idan siga> 0), ko mafi ƙarancin adadin lambobi (idan siga <0). Default shine 1.
  • bashi - Matsakaicin adadin ƙididdigewa don amfani da wasu alamomi (idan siga> 0), ko mafi ƙarancin adadin da ake buƙata na sauran alamomin (idan siga <0). Default shine 1.
  • minclass – Yana saita adadin azuzuwan da ake buƙata. Azuzuwa sun haɗa da sigogin da ke sama (haruffa na sama, ƙananan haruffa, lambobi, wasu haruffa). Default shine 0.
  • max maimaita – Matsakaicin adadin lokuta ana iya maimaita harafi a cikin kalmar sirri. Default shine 0.
  • maxclass maimaita - Matsakaicin adadin haruffa jere a cikin aji ɗaya. Default shine 0.
  • gecoscheck - Yana bincika ko kalmar sirri ta ƙunshi kowane kalmomi daga igiyoyin GECOS mai amfani. (Bayanin mai amfani, watau ainihin suna, wuri, da sauransu) Tsohuwar 0 (kashe).
  • dictpath – Bari mu je cracklib kamus.
  • munanan kalmomi – Kalmomin da ke raba sararin samaniya waɗanda aka haramta a cikin kalmomin sirri (sunan kamfani, kalmar “password”, da sauransu).

Idan batun lamuni ya yi kama da ban mamaki, ba laifi, al'ada ce. Za mu yi magana game da wannan a cikin sassan masu zuwa.

Kanfigareshan Manufofin Kalmar wucewa

Kafin ka fara gyara fayilolin sanyi, yana da kyau ka rubuta ainihin manufar kalmar sirri a gaba. Misali, za mu yi amfani da ƙa'idodin wahala masu zuwa:

  • Dole ne kalmar sirri ta kasance tana da ƙarancin tsayin haruffa 15.
  • Kada a maimaita irin wannan hali fiye da sau biyu a cikin kalmar sirri.
  • Ana iya maimaita azuzuwan haruffa har sau hudu a kalmar sirri.
  • Dole ne kalmar wucewa ta ƙunshi haruffa daga kowane aji.
  • Sabuwar kalmar sirri dole ne ta sami sabbin haruffa 5 idan aka kwatanta da tsohuwar.
  • Kunna rajistan GECOS.
  • Hana kalmomin "Password, wucewa, kalma, putorius"

Yanzu da muka tsara manufofin, za mu iya gyara fayil ɗin /etc/security/pwquality.confdon ƙara ƙaƙƙarfan buƙatun kalmar sirri. A ƙasa akwai fayil ɗin misali tare da sharhi don ingantaccen fahimta. 

# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius

Kamar yadda wataƙila kun lura, wasu sigogi a cikin fayil ɗinmu ba su da yawa. Misali, siga minclass yana da yawa tunda mun riga mun yi amfani da aƙalla haruffa biyu daga aji ta amfani da filayen [u,l,d,o]credit. Jerin kalmomin mu da ba za a iya amfani da su ba kuma ba su da yawa, tunda mun hana maimaita kowane aji sau 4 (duk kalmomin da ke cikin jerinmu an rubuta su cikin ƙananan haruffa). Na haɗa waɗannan zaɓuɓɓukan kawai don nuna yadda ake amfani da su don saita manufofin kalmar sirrinku.
Da zarar kun ƙirƙiri manufofin ku, zaku iya tilasta masu amfani su canza kalmomin shiga a gaba da shiga. tsarin.

Wani abin mamaki da ka lura shi ne cewa filayen [u,l,d,o]credit ya ƙunshi lamba mara kyau. Wannan saboda lambobi masu girma ko daidai da 0 zasu ba da lada don amfani da haruffan kalmar sirrin ku. Idan filin ya ƙunshi lamba mara kyau, yana nufin ana buƙatar takamaiman adadi.

Menene lamuni?

Ina kiran su lamuni saboda hakan yana isar da manufarsu daidai gwargwadon iko. Idan ƙimar siga ta fi 0, za ku ƙara adadin "ƙididdigar haruffa" daidai da "x" zuwa tsawon kalmar sirri. Misali, idan duk sigogi (u,l,d,o)credit saita zuwa 1 kuma tsawon kalmar sirrin da ake buƙata shine 6, sannan zaka buƙaci haruffa 6 don biyan tsawon abin da ake bukata domin kowane babban harafi, ƙananan, digit ko sauran haruffa zai ba ku daraja ɗaya.

Idan kun girka dcredit a 2, zaku iya amfani da kalmar sirri mai tsayin haruffa 9 kuma ku sami ƙididdiga na haruffa 2 don lambobi, sannan tsayin kalmar wucewa zai iya zama 10.

Dubi wannan misalin. Na saita tsawon kalmar sirri zuwa 13, saita dcredit zuwa 2, da komai zuwa 0.

$ pwscore
 Thisistwelve
 Password quality check failed:
  The password is shorter than 13 characters

$ pwscore
 Th1sistwelve
 18

Binciken farko na ya kasa saboda kalmar sirrin bai wuce haruffa 13 ba. Lokaci na gaba na canza harafin “I” zuwa lamba “1” kuma na karɓi ƙididdigewa biyu don lambobin, wanda ya sanya kalmar wucewa ta zama 13.

Gwajin kalmar sirri

Kunshin libpwquality yana ba da aikin da aka bayyana a cikin labarin. Yana kuma zuwa da shirin pwscore, wanda aka ƙera don bincika haɗakar kalmar sirri. Mun yi amfani da shi a sama don duba lamuni.
Mai amfani pwscore karanta daga stdin. Kawai gudanar da util ɗin kuma rubuta kalmar sirrinku, zai nuna kuskure ko ƙima daga 0 zuwa 100.

Makin ingancin kalmar sirri yana da alaƙa da siga minlen a cikin fayil ɗin sanyi. Gabaɗaya, maki ƙasa da 50 ana ɗaukarsa a matsayin “maɓallin kalmar sirri na al’ada”, kuma maki sama da shi ana ɗaukarsa a matsayin “ƙarfin kalmar sirri”. Duk wata kalmar sirri da ta wuce ingantaccen bincike (musamman tabbatarwa ta tilastawa cracklib) dole ne ya jure harin ƙamus, da kalmar sirri mai maki sama da 50 tare da saitin minlen ko da ta tsohuwa brute force hare-hare.

ƙarshe

gyara pwquality - yana da sauƙi kuma mai sauƙi idan aka kwatanta da rashin jin daɗi na amfani cracklib tare da gyaran fayil kai tsaye pam. A cikin wannan jagorar, mun rufe duk abin da kuke buƙata yayin kafa manufofin kalmar sirri akan Red Hat 7, CentOS 7, har ma da tsarin Ubuntu. Mun kuma yi magana game da ra'ayi na rance, wanda aka wuya a rubuta game da daki-daki, don haka wannan batu sau da yawa ya kasance m ga wadanda ba a baya gamu da shi.

Sources:

pwquality man page
pam_pwquality man page
pwscore man page

Hanyoyi masu amfani:

Zabar amintattun kalmomin shiga - Bruce Schneier
Lorrie Faith Cranor ta tattauna bincikenta na kalmar sirri a CMU
Shahararren zane mai ban dariya xkcd akan Entropy

source: www.habr.com

Add a comment