ProHoster > Blog > Utongi > Kugadzira Password Policy muLinux

Kugadzira Password Policy muLinux

Mhoro zvakare! Makirasi muboka idzva rekosi anotanga mangwana "Linux Administrator", munyaya iyi, tiri kubudisa chinyorwa chinobatsira pamusoro pehurukuro.

Kugadzira Password Policy muLinux

Muchidzidzo chakapfuura takakuudza nzira yekushandisa pam_cracklibkuita kuti mapassword pane masisitimu ave akaomarara Red Hat 6 kana CentOS. MuRed Hat 7 pam_pwquality yakatsiviwa cracklib sezvo pam default module yekutarisa mapassword. Module pam_pwquality zvakare inotsigirwa paUbuntu neCentOS, pamwe nemamwe akawanda maOS. Iyi module inoita kuti zvive nyore kugadzira password password kuona kuti vashandisi vanogamuchira yako password simba zviyero.

Kwenguva yakareba, nzira yakajairika yemapassword yaive yekumanikidza mushandisi kushandisa mabhii makuru, madiki, manhamba, kana zvimwe zviratidzo. Iyi mitemo yakakosha yekuoma kwepassword yakasimudzirwa zvakanyanya mumakore gumi apfuura. Pakave nenhaurirano yakawanda pamusoro pekuti iyi itsika yakanaka here kana kuti kwete. Nharo huru yekumisa mamiriro ezvinhu akaoma kudaro yaive yekuti vashandisi vanyore pasi mapassword pamapepa uye voachengeta zvisina kuchengeteka.

Imwezve mutemo ichangobva kudaidzwa mubvunzo inomanikidza vashandisi kuchinja mapassword avo mazuva ese x. Pakave nedzimwe ongororo dzakaratidza kuti izvi zvinokanganisawo kuchengetedzwa.

Zvinyorwa zvakawanda zvakanyorwa pamusoro penhaurirano idzi, izvo zvinotsigira imwe kana imwe pfungwa. Asi izvi hazvisi izvo zvatichakurukura munyaya ino. Ichi chinyorwa chichataura nezve maitiro ekuseta nemazvo password yakaoma pane kubata iyo yekuchengetedza mutemo.

Password Policy Settings

Pazasi iwe uchaona iyo password policy sarudzo uye tsananguro pfupi yeimwe neimwe. Mazhinji awo akafanana nemaparameter ari mumodule cracklib. Iyi nzira inoita kuti zvive nyore kutakura marongero ako kubva kune legacy system.

  • Ndine hurombo -Huwandu hwemavara mupassword yako itsva HAFANIRI kuvapo mune yako yekare password. (Default 5)
  • minlen - Minimum password kureba. (Default 9)
  • ucredit -Huwandu hwezvikwereti zvekushandisa mavara makuru (kana parameter> 0), kana huwandu hunodiwa hwemavara makuru (kana parameter <0). Default ndeye 1.
  • lcredit - Huwandu hwezvikwereti zvekushandisa mavara madiki (kana parameter> 0), kana huwandu hunodiwa hwemavara madiki (kana parameter <0). Default ndeye 1.
  • chikwereti - Huwandu hwepamusoro hwezvikwereti zvekushandisa manhamba (kana parameter> 0), kana hushoma hunodiwa nhamba yemadhijitari (kana parameter <0). Default ndeye 1.
  • anotenda - Huwandu hwepamusoro hwezvikwereti zvekushandisa zvimwe zviratidzo (kana parameter> 0), kana iyo shoma inodiwa nhamba yezvimwe zviratidzo (kana parameter <0). Default ndeye 1.
  • minclass - Inoisa huwandu hwemakirasi anodiwa. Makirasi anosanganisira ari pamusoro apa parameters (upper case characters, lower case characters, manhamba, mamwe mavara). Default ndeye 0.
  • maxrepeat - Iyo yakawanda nhamba yenguva iyo hunhu inogona kudzokororwa mupassword. Default ndeye 0.
  • maxclassrepeat - Huwandu hwehuwandu hwemavara akateedzana mukirasi imwe. Default ndeye 0.
  • gecoscheck -Inotarisa kuti password ine chero mazwi kubva kune mushandisi GECOS tambo. (Ruzivo rwemushandisi, kureva zita chairo, nzvimbo, nezvimwewo) Default ndeye 0 (yakadzimwa).
  • dictpath – Ngatiendei ku cracklib dictionaries.
  • idzords -Mazwi akapatsanurwa nzvimbo anorambidzwa mumapassword (Zita rekambani, izwi rekuti "password", nezvimwewo).

Kana iyo pfungwa yezvikwereti ichinzwika kushamisa, zvakanaka, zvakajairika. Tichataura zvakawanda pamusoro peizvi muzvikamu zvinotevera.

Password Policy Configuration

Usati watanga kugadzirisa mafaera ekugadzirisa, itsika yakanaka kunyora pasi yakakosha password password pamberi. Semuenzaniso, isu tichashandisa inotevera kuomerwa mitemo:

  • Pasiwedhi inofanira kuva nehurefu hushoma hwemavara gumi nemashanu.
  • Hunhu hwakafanana haufanirwe kudzokororwa kanopfuura kaviri mupassword.
  • Makirasi ehunhu anogona kudzokororwa kanokwana kana mupassword.
  • Pasiwedhi inofanirwa kunge iine mavara kubva kukirasi yega yega.
  • Pasiwedhi nyowani inofanirwa kunge iine mavara mashanu matsva kana ichienzaniswa neyekare.
  • Gonesa GECOS cheki.
  • Rambidza mazwi "password, pass, word, putorius"

Zvino zvataisa mutemo, tinokwanisa kugadzirisa faira /etc/security/pwquality.confkuwedzera password kuoma zvinodiwa. Pazasi pane muenzaniso faira ine makomendi ekunzwisisa zviri nani. 

# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius

Sezvaungave waona, mamwe ma paramita mufaira redu haana basa. Somuenzaniso, parameter minclass haina basa sezvo isu tatoshandisa mavara maviri kubva mukirasi tichishandisa minda [u,l,d,o]credit. Rondedzero yedu yemazwi asingagone kushandiswa zvakare haina basa, sezvo isu takarambidza kudzokorora chero kirasi ka4 (ese mazwi mune yedu runyorwa akanyorwa nemavara madiki). Ini ndasanganisira idzi sarudzo chete kuratidza mashandisiro adzo kugadzirisa password yako mutemo.
Kana uchinge wagadzira mutemo wako, unogona kumanikidza vashandisi kuti vachinje mapassword avo nguva inotevera pavanopinda. hurongwa.

Chimwe chinhu chinoshamisa chaungave waona ndechekuti minda [u,l,d,o]credit inenegative number. Izvi zvinodaro nekuti nhamba dzakakura kupfuura kana kuenzana na0 dzinopa kutenda nekushandisa mavara ari mupassword yako. Kana munda uine nhamba isina kunaka, zvinoreva kuti huwandu hunodiwa hunodiwa.

Chii chinonzi zvikwereti?

Ndinovadaidza kuti zvikwereti nekuti zvinoburitsa chinangwa chavo nemazvo sezvinobvira. Kana iyo parameter yakakosha kupfuura 0, iwe unowedzera nhamba ye "character credits" yakaenzana ne "x" kuhurefu hwepassword. Somuenzaniso, kana zvose parameters (u,l,d,o)credit set to 1 uye password yaidiwa kureba yaive 6, zvino unozoda mavara matanhatu kuti ugutse hurefu hunodiwa nekuti wega uppercase, madiki, dijiti kana humwe hunhu hunokupa chikwereti chimwe.

Kana iwe ukaisa dcredit pa2, unogona kushandisa password ine mavara mapfumbamwe kureba uye wowana 9 mavara emakadhi enhamba, uye ipapo kureba kwepassword kunogona kutove gumi.

Tarisa muenzaniso uyu. Ndakaisa kureba kwepassword ku13, kuseta dcredit ku2, uye zvimwe zvese ku0.

$ pwscore
 Thisistwelve
 Password quality check failed:
  The password is shorter than 13 characters

$ pwscore
 Th1sistwelve
 18

Cheki yangu yekutanga yakatadza nekuti password yaive isingasviki mavara gumi nematatu kureba. Nguva yakatevera yandakashandura tsamba "Ini" kune nhamba "13" uye ndakagamuchira zvikwereti zviviri zvenhamba, izvo zvakaita kuti password ienzane ne1.

Password test

Package libpwquality inopa kushanda kwakatsanangurwa muchinyorwa. Inouyawo nepurogiramu pwscore, iyo yakagadzirirwa kutarisa kuoma kwepassword. Takazvishandisa pamusoro kutarisa zvikwereti.
Zvinobatsira pwscore inoverenga kubva stdin. Ingomhanya zvinoshandiswa uye nyora password yako, icharatidza kukanganisa kana kukosha kubva pa0 kusvika ku100.

Iyo password yemhando yepamusoro inoenderana neiyo parameter minlen mufaira rekugadzirisa. Kazhinji, zvibodzwa zvisingasviki makumi mashanu zvinoonekwa se "password yakajairika", uye mamakisi pamusoro payo anoonekwa se "password yakasimba". Chero password inopfuura yemhando yekutarisa (kunyanya kumanikidzirwa kusimbiswa cracklib) inofanira kumirisana nekurwiswa kweduramazwi, uye password ine zvibodzwa zvinopfuura makumi mashanu ine marongero minlen kunyangwe nekusingaperi brute force kurwisa.

mhedziso

kuchinja pwquality - zviri nyore uye zviri nyore zvichienzaniswa nekusagadzikana kwekushandisa cracklib nedirect file editing pam. Mugwaro iri, takafukidza zvese zvauchazoda kana uchimisikidza password password paRed Hat 7, CentOS 7, uye kunyange Ubuntu masisitimu. Isu takataurawo nezve pfungwa yezvikwereti, iyo isingawanzo kunyorwa zvakadzama, saka iyi nyaya yaiwanzogara isina kujeka kune avo vasina kumbosangana nayo.

Sources:

pwquality man peji
pam_pwquality man page
pwscore munhu peji

Useful links:

Kusarudza Akachengeteka Mapassword - Bruce Schneier
Lorrie Faith Cranor anokurukura zvidzidzo zvake zvepassword kuCMU
Iyo Yakashata xkcd katuni paEntropy

Source: www.habr.com

Voeg