ãŸããã£ããïŒ ææ¥ããæ°ã³ãŒã¹ã°ã«ãŒãã®ææ¥ãå§ãŸããŸã
åã®ãã¥ãŒããªã¢ã«ã§äœ¿ãæ¹ã説æããŸãã pam_cracklib
ã·ã¹ãã äžã®ãã¹ã¯ãŒããããè€éã«ãããã pam_pwquality
亀æãã cracklib
ãšã㊠pam
ãã¹ã¯ãŒãããã§ãã¯ããããã®ããã©ã«ãã®ã¢ãžã¥ãŒã«ã ã¢ãžã¥ãŒã« pam_pwquality
Ubuntu ã CentOSããã®ä»å€ãã® OS ã§ããµããŒããããŠããŸãã ãã®ã¢ãžã¥ãŒã«ã䜿çšãããšããŠãŒã¶ãŒããã¹ã¯ãŒãã®åŒ·åºŠåºæºã確å®ã«åãå
¥ããããã®ãã¹ã¯ãŒã ããªã·ãŒãç°¡åã«äœæã§ããŸãã
é·ãéããã¹ã¯ãŒãã«å¯Ÿããäžè¬çãªã¢ãããŒãã¯ããŠãŒã¶ãŒã«å€§æåãå°æåãæ°åããŸãã¯ãã®ä»ã®èšå·ã®äœ¿çšã匷å¶ããããšã§ããã ãã¹ã¯ãŒãã®è€éãã«é¢ãããããã®åºæ¬ã«ãŒã«ã¯ãéå» XNUMX 幎éã«ããã£ãŠåºãæšé²ãããŠããŸããã ãããè¯ãç¿æ £ã§ãããã©ããã«ã€ããŠã¯ãå€ãã®è°è«ãè¡ãããŠããŸããã ãã®ãããªè€éãªæ¡ä»¶ãèšå®ããããšã«å察ããäž»ãªè°è«ã¯ããŠãŒã¶ãŒããã¹ã¯ãŒããçŽã«æžãçããŠå®å šã«ä¿ç®¡ããªããšããããšã§ããã
æè¿çåèŠãããŠããå¥ã®ããªã·ãŒã¯ããŠãŒã¶ãŒã« x æ¥ããšã®ãã¹ã¯ãŒãå€æŽã匷å¶ããŸãã ãããå®å šæ§ã«ãæªåœ±é¿ãäžããããšã瀺ããç 究ãããã€ããããŸãã
ãããã®è°è«ã®ããŒãã«é¢ããŠå€ãã®èšäºãæžãããŠãããäœããã®èŠ³ç¹ãè£ä»ããŠããŸãã ããããããã¯ãã®èšäºã§èª¬æããããšã§ã¯ãããŸããã ãã®èšäºã§ã¯ãã»ãã¥ãªã㣠ããªã·ãŒã管çããã®ã§ã¯ãªãããã¹ã¯ãŒãã®è€éããæ£ããèšå®ããæ¹æ³ã«ã€ããŠèª¬æããŸãã
ãã¹ã¯ãŒãããªã·ãŒã®èšå®
以äžã«ããã¹ã¯ãŒã ããªã·ãŒ ãªãã·ã§ã³ãšããããã®ç°¡åãªèª¬æã瀺ããŸãã ãããã®å€ãã¯ã¢ãžã¥ãŒã«å
ã®ãã©ã¡ãŒã¿ã«äŒŒãŠããŸãã cracklib
ã ãã®ã¢ãããŒãã«ãããã¬ã¬ã·ãŒ ã·ã¹ãã ããã®ããªã·ãŒã®ç§»æ€ã容æã«ãªããŸãã
- ç³ãèš³ãããŸãã â æ°ãããã¹ã¯ãŒãã«å«ãŸãããå€ããã¹ã¯ãŒãã«å«ãŸããªãæåæ°ã (ããã©ã«ãã¯5)
- ãã³ã¬ã³ â ãã¹ã¯ãŒãã®æå°é·ã (ããã©ã«ãã¯9)
- ãŠãŒã¯ã¬ãžãã â 倧æåã䜿çšããããã®ã¯ã¬ãžããã®æå€§æ° (ãã©ã¡ãŒã¿ > 0 ã®å Žå)ããŸãã¯å¿ èŠãªå€§æåã®æå°æ° (ãã©ã¡ãŒã¿ < 0 ã®å Žå)ã ããã©ã«ã㯠1 ã§ãã
- ã¯ã¬ãžãã â å°æåã䜿çšããããã®ã¯ã¬ãžããã®æå€§æ° (ãã©ã¡ãŒã¿ > 0 ã®å Žå)ããŸãã¯å°æåã®å¿ èŠãªæå°æ° (ãã©ã¡ãŒã¿ < 0 ã®å Žå)ã ããã©ã«ã㯠1 ã§ãã
- ã¯ã¬ãžãã â æ¡ã䜿çšããããã®ã¯ã¬ãžããã®æå€§æ° (ãã©ã¡ãŒã¿ãŒ > 0 ã®å Žå)ããŸãã¯å¿ èŠãªæå°æ¡æ° (ãã©ã¡ãŒã¿ãŒ < 0 ã®å Žå)ã ããã©ã«ã㯠1 ã§ãã
- ãšåœŒã¯ä¿¡ããŠãã â ä»ã®ã·ã³ãã«ã䜿çšããããã®ã¯ã¬ãžããã®æå€§æ° (ãã©ã¡ãŒã¿ãŒ > 0 ã®å Žå)ããŸãã¯ä»ã®ã·ã³ãã«ã®æå°å¿ èŠæ° (ãã©ã¡ãŒã¿ãŒ < 0 ã®å Žå)ã ããã©ã«ã㯠1 ã§ãã
- æå°ã¯ã©ã¹ â å¿ èŠãªã¯ã©ã¹ã®æ°ãèšå®ããŸãã ã¯ã©ã¹ã«ã¯äžèšã®ãã©ã¡ãŒã¿ïŒå€§æåãå°æåãæ°åããã®ä»ã®æåïŒãå«ãŸããŸãã ããã©ã«ã㯠0 ã§ãã
- ããã¯ã¹ãªããŒã â ãã¹ã¯ãŒãå ã§æåãç¹°ãè¿ãããšãã§ããæ倧åæ°ã ããã©ã«ã㯠0 ã§ãã
- ããã¯ã¹ã¯ã©ã¹ãªããŒã â 0 ã€ã®ã¯ã©ã¹å ã®é£ç¶ããæåã®æ倧æ°ã ããã©ã«ã㯠XNUMX ã§ãã
- ã²ã³ãã§ã㯠â ãã¹ã¯ãŒãã«ãŠãŒã¶ãŒã® GECOS æååã®åèªãå«ãŸããŠãããã©ããã確èªããŸãã (ãŠãŒã¶ãŒæ å ±ãã€ãŸãæ¬åãå Žæãªã©) ããã©ã«ã㯠0 (ãªã) ã§ãã
- ãã£ã¯ããŒã·ã§ã³ãã¹ â ã¯ã©ãã¯ãªãèŸæžã«è¡ããŸãããã
- æªãèšè â ãã¹ã¯ãŒãã«äœ¿çšã§ããªãã¹ããŒã¹ã§åºåãããåèªïŒäŒç€Ÿåãããã¹ã¯ãŒãããšããåèªãªã©ïŒã
ããŒã³ãšããæŠå¿µãå¥åŠã«èããããããããŸããããããã¯æ£åžžã§ãã ããã«ã€ããŠã¯ã次ã®ã»ã¯ã·ã§ã³ã§è©³ãã説æããŸãã
ãã¹ã¯ãŒãããªã·ãŒã®èšå®
æ§æãã¡ã€ã«ã®ç·šéãéå§ããåã«ãäºåã«åºæ¬çãªãã¹ã¯ãŒã ããªã·ãŒãæžãçããŠããããšããå§ãããŸãã ããšãã°ã次ã®é£æ床ã«ãŒã«ã䜿çšããŸãã
- ãã¹ã¯ãŒã㯠15 æå以äžã§ããå¿ èŠããããŸãã
- ãã¹ã¯ãŒãå ã§åãæåã XNUMX å以äžç¹°ãè¿ããŠã¯ãããŸããã
- æåã¯ã©ã¹ã¯ããã¹ã¯ãŒãå ã§æ倧 XNUMX åãŸã§ç¹°ãè¿ãããšãã§ããŸãã
- ãã¹ã¯ãŒãã«ã¯åã¯ã©ã¹ã®æåãå«ãŸããŠããå¿ èŠããããŸãã
- æ°ãããã¹ã¯ãŒãã«ã¯ãå€ããã¹ã¯ãŒããšæ¯èŒã㊠5 ã€ã®æ°ããæåãå«ãŸããŠããå¿ èŠããããŸãã
- GECOS ãã§ãã¯ãæå¹ã«ããŸãã
- ããã¹ã¯ãŒãããã¹ãã¯ãŒãããããªãŠã¹ããšããåèªãçŠæ¢ããŸã
ããªã·ãŒãã¬ã€ã¢ãŠãããã®ã§ããã¡ã€ã«ãç·šéã§ããŸã /etc/security/pwquality.conf
ãã¹ã¯ãŒãã®è€éãã®èŠä»¶ãé«ããããã 以äžã¯ãç解ãæ·±ããããã®ã³ã¡ã³ããå«ããµã³ãã« ãã¡ã€ã«ã§ãã
# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius
ãæ°ã¥ãããšæããŸããããã¡ã€ã«å
ã®äžéšã®ãã©ã¡ãŒã¿ãŒã¯åé·ã§ãã ããšãã°ããã©ã¡ãŒã¿ minclass
ãã£ãŒã«ãã䜿çšããŠã¯ã©ã¹ã®å°ãªããšã XNUMX ã€ã®æåããã§ã«äœ¿çšããŠãããããããã¯åé·ã§ã [u,l,d,o]credit
ã ã©ã®ææ¥ã 4 åç¹°ãè¿ãããšãçŠæ¢ããŠããããã䜿çšã§ããªãåèªã®ãªã¹ããåé·ã§ã (ãªã¹ãå
ã®ãã¹ãŠã®åèªã¯å°æåã§æžãããŠããŸã)ã ãããã®ãªãã·ã§ã³ã¯ããã¹ã¯ãŒã ããªã·ãŒãæ§æããããã«ãããã䜿çšããæ¹æ³ã瀺ãããã«ã®ã¿å«ãŸããŠããŸãã
ããªã·ãŒãäœæãããããŠãŒã¶ãŒã次åãã°ã€ã³ãããšãã«ãã¹ã¯ãŒãã®å€æŽã匷å¶ã§ããŸãã
ããªããæ°ã¥ãããããããªããã XNUMX ã€ã®å¥åŠãªç¹ã¯ããã£ãŒã«ã [u,l,d,o]credit
è² ã®æ°ãå«ãŸããŠããŸãã ããã¯ã0 以äžã®æ°å€ã«ããããã¹ã¯ãŒãã«ãã®æåã䜿çšããããšãèªããããããã§ãã ãã£ãŒã«ãã«è² ã®æ°å€ãå«ãŸããŠããå Žåã¯ãç¹å®ã®æ°éãå¿
èŠã§ããããšãæå³ããŸãã
ããŒã³ãšã¯äœã§ãã?
ç§ãããããããŒã³ãšåŒã¶ã®ã¯ããã®ç®çãã§ããã ãæ£ç¢ºã«äŒããããã§ãã ãã©ã¡ãŒã¿å€ã 0 ãã倧ããå Žåã¯ããxãã«çãããæåã¯ã¬ãžãããæ°ããã¹ã¯ãŒãã®é·ãã«è¿œå ããŸãã ããšãã°ããã¹ãŠã®ãã©ã¡ãŒã¿ã (u,l,d,o)credit
1 ã«èšå®ãããå¿
èŠãªãã¹ã¯ãŒãã®é·ãã 6 ã ã£ãå Žåã倧æåãå°æåãæ°åããã®ä»ã®æåããšã« 6 ã¯ã¬ãžãããäžãããããããé·ãã®èŠä»¶ãæºããã«ã¯ XNUMX æåãå¿
èŠã«ãªããŸãã
ã€ã³ã¹ããŒã«ããã° dcredit
2 ã§ã¯ãçè«çã«ã¯ 9 æåã®é·ãã®ãã¹ã¯ãŒãã䜿çšããæ°åã«å¯Ÿã㊠2 æåã®ã¯ã¬ãžãããååŸã§ããŸããããã®å Žåããã¹ã¯ãŒãã®é·ãã¯ãã§ã« 10 ã«ãªã£ãŠããå¯èœæ§ããããŸãã
ãã®äŸãèŠãŠãã ããã ãã¹ã¯ãŒãã®é·ãã 13 ã«èšå®ããdcredit ã 2 ã«èšå®ãããã®ä»ã¯ãã¹ãŠ 0 ã«èšå®ããŸãã
$ pwscore
Thisistwelve
Password quality check failed:
The password is shorter than 13 characters
$ pwscore
Th1sistwelve
18
ãã¹ã¯ãŒãã®é·ãã 13 æåæªæºã ã£ãã®ã§ãæåã®ãã§ãã¯ã¯å€±æããŸããã 次åãæåãIããæ°åã1ãã«å€æŽãããšããã®æ°åã®ã¯ã¬ãžããã 13 ã€åŸããããã¹ã¯ãŒã㯠XNUMX ã«ãªããŸããã
ãã¹ã¯ãŒãã®ãã¹ã
ããã±ãŒãž libpwquality
ã¯ãèšäºã§èª¬æãããŠããæ©èœãæäŸããŸãã ããã°ã©ã ãä»ããŠãŸã pwscore
ããã¹ã¯ãŒãã®è€éãããã§ãã¯ããããã«èšèšãããŠããŸãã äžèšã§ã¯ããŒã³ã確èªããããã«äœ¿çšããŸããã
ãŠãŒãã£ãªã㣠pwscore
ããèªã¿åããŸã
ãã¹ã¯ãŒãå質ã¹ã³ã¢ã¯ãã©ã¡ãŒã¿ã«é¢é£ããŠããŸã minlen
èšå®ãã¡ã€ã«ã«ãããŸãã äžè¬ã«ã50 æªæºã®ã¹ã³ã¢ã¯ãéåžžã®ãã¹ã¯ãŒãããšã¿ãªããããã以äžã®ã¹ã³ã¢ã¯ã匷åãªãã¹ã¯ãŒãããšã¿ãªãããŸãã å質ãã§ãã¯ïŒç¹ã«åŒ·å¶æ€èšŒïŒã«åæ Œãããã¹ã¯ãŒã cracklib
) èŸæžæ»æã«èããå¿
èŠããããèšå®ã§ã¹ã³ã¢ã 50 ãè¶
ãããã¹ã¯ãŒãã䜿çšããå¿
èŠããããŸãã minlen
ããã©ã«ãã§ã brute force
æ»æã
ãŸãšã
èª¿æŽ pwquality
â 䜿çšã®äžäŸ¿ãã«æ¯ã¹ãŠç°¡åã§ã·ã³ãã«ã§ã cracklib
ãã¡ã€ã«ãçŽæ¥ç·šéããå Žå pam
ã ãã®ã¬ã€ãã§ã¯ãRed Hat 7ãCentOS 7ãããã«ã¯ Ubuntu ã·ã¹ãã ã§ãã¹ã¯ãŒã ããªã·ãŒãèšå®ãããšãã«å¿
èŠãªãã¹ãŠã説æããŸããã ãŸããããŒã³ã®æŠå¿µã«ã€ããŠã話ããŸããããããã¯è©³ããæžãããããšã¯ã»ãšãã©ãªãããããããŸã§ããŒã³ã«æ¥ããããšã®ãªã人ã«ãšã£ãŠã¯ããã®ãããã¯ã¯ããããããªããŸãŸã§ããã
ãœãŒã¹ïŒ
䟿å©ãªãªã³ã¯ïŒ
åºæïŒ habr.com