ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Abuuritaanka siyaasadda sirta ah ee Linux

Abuuritaanka siyaasadda sirta ah ee Linux

Hello mar kale! Fasalada kooxda koorsada cusub waxay bilaabanayaan berrito "Maamulaha Linux", arrintan, waxaan daabacnay maqaal waxtar leh oo ku saabsan mawduuca.

Abuuritaanka siyaasadda sirta ah ee Linux

Casharkii hore waxaan kuugu sheegnay sida loo isticmaalo pam_cracklibsi loo sameeyo furaha sirta ah ee nidaamyada kuwo aad u adag Koofiyada Cas 6 ama CentOS. Koofiyada Cas 7 pam_pwquality bedelay cracklib sida pam moduleka caadiga ah ee hubinta ereyada sirta ah. Module pam_pwquality sidoo kale lagu taageeray Ubuntu iyo CentOS, iyo sidoo kale OS-yo kale oo badan. Qaybtani waxa ay sahlaysaa in la abuuro siyaasado sirta ah si loo hubiyo in isticmaalayaashu ay aqbalaan heerarka xoogga sirtaada.

Muddo dheer, habka caadiga ah ee ereyada sirta ah waxay ahayd in lagu qasbo isticmaalaha inuu isticmaalo far waaweyn, far yar, lambaro, ama calaamado kale. Xeerarkan aasaasiga ah ee kakanaanta sirta ah ayaa si weyn loo dalacsiiyay tobankii sano ee la soo dhaafay. Waxaa jiray doodo badan oo ku saabsan in tani ay tahay dhaqan wanaagsan iyo in kale. Doodda ugu weyn ee ka soo horjeeda dejinta xaaladaha adag ee noocaas ah waxay ahayd in isticmaalayaashu ay ku qoraan furaha sirta ah waraaqo oo ay u kaydiyaan si ammaan darro ah.

Siyaasad kale oo dhawaan su'aal la geliyay ayaa ku qasbeysa isticmaalayaasha inay beddelaan furaha sirta ah x maalmood kasta. Waxaa jiray daraasado qaar oo muujiyay in tani ay sidoo kale wax u dhimeyso badbaadada.

Mawduuca doodahaas ayaa laga qoray maqaallo badan, kuwaas oo caddaynaya hal aragti ama mid kale. Laakiin tani maaha waxa aan kaga hadli doono maqaalkan. Maqaalkani waxa uu ka hadli doonaa sida saxda ah ee loo dejiyo kakanaanta erayga sirta ah halkii laga maamuli lahaa siyaasadda amniga.

Dejinta Siyaasadda erayga sirta ah

Hoos waxaad arki doontaa ikhtiyaarka siyaasadda erayga sirta ah iyo sharraxaad kooban mid kasta. Qaar badan oo iyaga ka mid ah waxay la mid yihiin cabbirada cutubka cracklib. Habkani wuxuu sahlayaa inaad siyaasadahaaga ka soo dejiso nidaamka dhaxalka.

  • Waan ka xumahay - Tirada xarfaha ku jira eraygaaga sirta ah ee cusub ee AANU ku jirin eraygaagii hore. (Teddelka 5)
  • minlen - Dhererka erayga sirta ah ee ugu yar. (Teddelka 9)
  • kredit - Tirada ugu badan ee dhibcaha isticmaalka xarfaha waaweyn (haddii parameter> 0), ama tirada ugu yar ee loo baahan yahay ee xarfaha waaweyn (haddii cabbirka <0). Asal ahaan waa 1.
  • kredit - Tirada ugu badan ee credits ee isticmaalka xarfaha yaryar (haddii parameter> 0), ama tirada ugu yar ee loo baahan yahay ee xarfaha yaryar (haddii cabbirka <0). Asal ahaan waa 1.
  • credit - Tirada ugu badan ee dhibcaha isticmaalka nambarada (haddii halbeegga> 0), ama tirada ugu yar ee lambarrada loo baahan yahay (haddii cabbirka <0). Asal ahaan waa 1.
  • wuu rumaysan yahay - Tirada ugu badan ee dhibcaha isticmaalka calaamadaha kale (haddii halbeeg> 0), ama tirada ugu yar ee loo baahan yahay calaamadaha kale (haddii cabbirka <0). Asal ahaan waa 1.
  • minclass – Dejiya tirada fasallada loo baahan yahay. Fasalada waxaa ku jira halbeegyada sare (xuruufta sare, xarfaha yaryar, tirooyinka, jilayaasha kale). Asal ahaan waa 0.
  • ugu badnaan - Inta jeer ee ugu badan ee jilaa lagu soo celin karo erayga sirta ah. Asal ahaan waa 0.
  • maxclass celi - Tirada ugu badan ee jilayaasha isku xigta ee hal fasal. Asal ahaan waa 0.
  • gecoscheck - Wuxuu hubiyaa in erayga sirta ah uu ku jiro ereyo ka mid ah xargaha GECOS ee isticmaalaha. (Macluumaadka isticmaalaha, ie. magaca dhabta ah, goobta, iwm.) Default waa 0 (off).
  • dictpath – Aan tagno qaamuusyada cracklib.
  • erayo xunxun - Erayada meel bannaan oo ka mamnuuc ah furaha sirta ah (magaca shirkadda, ereyga "password", iwm.).

Haddii fikradda amaahdu ay u egtahay wax qariib ah, waa caadi, waa caadi. Waxaan uga hadli doonaa wax badan oo ku saabsan arrintan qaybaha soo socda.

Habaynta Siyaasadda Furaha

Kahor intaadan bilaabin tafatirka faylasha qaabeynta, waa dhaqan wanaagsan inaad horay u sii qorto siyaasada aasaasiga ah ee erayga sirta ah. Tusaale ahaan, waxaanu isticmaali doonaa xeerarkan adag ee soo socda:

  • Eraygu waa inuu lahaadaa ugu yaraan dhererkiisu yahay 15 xaraf.
  • Dabeecad isku mid ah waa in aan lagu celin wax ka badan laba jeer lambarka sirta ah.
  • Fasallada jilayaasha waxaa lagu soo celin karaa ilaa afar jeer sirta ah.
  • Erayga sirta ah waa inuu ka kooban yahay xarfo fasal kasta.
  • Furaha cusubi waa inuu lahaadaa 5 xaraf oo cusub marka loo eego kii hore.
  • Daar hubin GECOS
  • Mamnuuc erayada "password, pass, word, putorius"

Hadda oo aan dejinay siyaasadda, waxaan wax ka beddeli karnaa faylka /etc/security/pwquality.confsi loo kordhiyo shuruudaha kakanaanta erayga sirta ah. Hoos waxaa ku yaal fayl tusaale ah oo leh faallooyin si loo fahmo wanaagsan. 

# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius

Sida laga yaabo inaad dareentay, qaar ka mid ah cabbirada faylkayaga ayaa ah kuwo aan badnayn. Tusaale ahaan, halbeegga minclass waa wax aan badnayn maadaama aan horey u isticmaalnay ugu yaraan laba xaraf oo fasalka ah anagoo adeegsanayna goobo [u,l,d,o]credit. Liistada ereyada aan la isticmaali karin sidoo kale waa badan yihiin, maadaama aan mamnuucnay ku celcelinta fasal kasta 4 jeer (dhammaan erayada liiskayaga ku jira waxay ku qoran yihiin xarfo yaryar). Waxa aan ku soo daray xulashooyinkan kaliya si aan u muujiyo sida loo isticmaalo si loo habeeyo nidaamkaaga sirta ah.
Markaad abuurto siyaasaddaada, waxaad ku qasbi kartaa isticmaalayaasha inay beddelaan furaha sirta ah marka xigta ee ay soo galaan. nidaamka.

Waxyaabo kale oo la yaab leh ayaa laga yaabaa inaad dareentay waa in beeraha [u,l,d,o]credit ka kooban tiro taban Tani waa sababta oo ah tirooyinka ka weyn ama la mid ah 0 waxay ku siin doonaan ammaan isticmaalka jilaha eraygaaga sirta ah. Haddii goobta ay ka kooban tahay tiro taban, waxay la macno tahay in tiro go'an loo baahan yahay.

Waa maxay deyn?

Waxaan ugu yeeraa deyn sababtoo ah taasi waxay u gudbineysaa ujeedadooda sida ugu saxsan ee suurtogalka ah. Haddii qiimihiisu ka weyn yahay 0, waxa aad ku dartay tiro "credit characters" oo le'eg "x" dhererka sirta ah. Tusaale ahaan, haddii dhammaan xuduudaha (u,l,d,o)credit loo dhigay 1 oo dhererka erayga sirta ah ee loo baahnaa wuxuu ahaa 6, ka dib waxaad u baahan doontaa 6 xaraf si aad u buuxiso shuruudaha dhererka sababtoo ah far kasta oo weyn, far yar, digit ama xaraf kale ayaa ku siin doona hal credit.

Haddii aad rakibto dcredit marka 2, waxaad aragti ahaan isticmaali kartaa furaha sirta ah ee dhererkiisu yahay 9 xaraf waxaadna heli kartaa 2 xaraf oo lambaro ah, ka dibna dhererka erayga sirta ah wuxuu noqon karaa 10.

Bal u fiirso tusaalahan. Dhererka erayga sirta ah waxaan dhigay 13, dcredit ka dhigay 2, wax walbana waxaan dhigay 0.

$ pwscore
 Thisistwelve
 Password quality check failed:
  The password is shorter than 13 characters

$ pwscore
 Th1sistwelve
 18

Jeegaygii kowaad wuu guuldarraystay sababtoo ah erayga sirta ah waxa uu ka yaraa 13 xaraf. Marka xigta waxaan u beddelay xarafka "I" lambarka "1" oo aan helay laba dhibcood oo lambarrada ah, taas oo ka dhigtay lambarka sirta ah 13.

Imtixaanka sirta ah

Xirmo libpwquality waxay bixisaa shaqeynta lagu sifeeyay maqaalka. Waxa kale oo ay la socotaa barnaamij pwscore, kaas oo loogu talagalay in lagu hubiyo kakanaanta erayga sirta ah. Waxaan u isticmaalnay kor si aan u hubinno deymaha.
Faa'iidada pwscore akhriyey ka stdin. Keliya orod utility oo qor eraygaaga sirta ah, waxa ay muujin doontaa khalad ama qiime ka socda 0 ilaa 100.

Dhibcaha tayada sirta ah waxay la xidhiidhaa cabbirka minlen faylka qaabeynta. Guud ahaan, dhibcaha ka yar 50 waxaa loo tixgaliyaa "password caadi ah", dhibcaha ka sarreeyana waxaa loo tixgeliyaa "password adag". Furaha sirta ah ee dhaafa hubinta tayada (gaar ahaan xaqiijinta qasabka ah cracklib) waa in uu u adkaystaa weerarrada qaamuuska, iyo erayga sirta ah ee buundada ka sarreeya 50 oo leh dejinta minlen xitaa by default brute force weeraro.

gunaanad

sixitaanka pwquality - waa sahlan tahay oo sahlan marka la barbar dhigo dhibka isticmaalka cracklib oo leh tafatirka tooska ah ee faylka pam. Hagahan, waxaanu ku soo koobnay wax kasta oo aad u baahan doonto marka aad dejinayso siyaasadaha sirta ah ee Koofiyada Cas 7, CentOS 7, iyo xataa nidaamyada Ubuntu. Waxaan sidoo kale ka hadalnay fikradda deymaha, taas oo si dhif ah loo qoro si faahfaahsan, sidaas darteed mawduucan inta badan wuxuu ahaa mid aan caddayn kuwa aan hore ula kulmin.

Ilaha:

pwquality man page
pam_pwquality man page
pwscore man page

Xiriiro waxtar leh:

Doorashada Erayada sirta ah ee sugan - Bruce Schneier
Lorrie Faith Cranor waxay ka hadlaysaa daraasaddeeda sirta ah ee CMU
Kartoonka xkcd ee caanka ah ee ku yaal Entropy

Source: www.habr.com

Add a comment