ProHoster > Blog > Tsamaiso > Ho theha Leano la Password ho Linux

Ho theha Leano la Password ho Linux

Lumela hape! Litlelase tsa sehlopha se secha sa thupelo li qala hosane "Linux Administrator", tabeng ena, re hatisa sehlooho se molemo ka taba ena.

Ho theha Leano la Password ho Linux

Thutong e fetileng re ile ra u bolella mokhoa oa ho sebelisa pam_cracklibho etsa hore li-password ho litsamaiso li be thata haholoanyane Red Hat 6 kapa CentOS. Ka Red Hat 7 pam_pwquality nkeloa sebaka cracklib joalo ka pam mojule oa kamehla oa ho lekola li-password. Mojule pam_pwquality e boetse e tšehetsoa ho Ubuntu le CentOS, hammoho le li-OS tse ling tse ngata. Mojule ona o etsa hore ho be bonolo ho theha maano a password ho netefatsa hore basebelisi ba amohela maemo a hau a matla a password.

Ka nako e telele, mokhoa o tloaelehileng oa ho sebelisa li-password e ne e le ho qobella mosebelisi ho sebelisa litlhaku tse kholo, tse nyane, linomoro kapa matšoao a mang. Melao ena ea mantlha ea ho rarahana ha password e khothalelitsoe haholo lilemong tse leshome tse fetileng. Ho bile le lipuisano tse ngata mabapi le hore na sena ke mokhoa o motle kapa che. Khang e ka sehloohong khahlanong le ho beha maemo a rarahaneng joalo e ne e le hore basebelisi ba ngole li-password likotoaneng tsa pampiri ebe ba li boloka ba sa sireletseha.

Leano le leng le sa tsoa belaelloa le qobella basebelisi ho fetola li-password tsa bona matsatsing a mang le a mang a x. Ho bile le liphuputso tse ling tse bontšitseng hore sena le sona se kotsi bakeng sa polokeho.

Lingoliloeng tse ngata li ngotsoe ka sehlooho sa lipuisano tsena, tse tiisang maikutlo a itseng kapa a mang. Empa sena ha se seo re tla se tšohla sehloohong sena. Sengoliloeng sena se tla bua ka mokhoa oa ho beha mokhoa o nepahetseng oa ho rarahana ha password ho fapana le ho laola leano la ts'ireletso.

Litlhophiso tsa Leano la Password

Ka tlase u tla bona likhetho tsa pholisi ea phasewete le tlhaloso e khuts'oane ea e 'ngoe le e' ngoe. Tse ngata tsa tsona li tšoana le li-parameter tsa module cracklib. Mokhoa ona o etsa hore ho be bonolo ho tsamaisa maano a hau ho tsoa ho sistimi ea lefa.

  • difok - Palo ea litlhaku ho password ea hau e ncha e SA LOKELA ho ba teng ho password ea hau ea khale. (Ka ho feletseng 5)
  • nyane – Bonyane bolelele ba password. (9 ea kamehla)
  • ucredit - Palo e phahameng ea litefiso bakeng sa ho sebelisa litlhaku tse kholo (haeba paramethara> 0), kapa bonyane palo e hlokahalang ea litlhaku tse kholo (haeba parametha <0). Ka ho feletseng ke 1.
  • mokoloto - Palo e phahameng ea li-credits bakeng sa ho sebelisa litlhaku tse nyenyane (haeba parameter> 0), kapa palo e fokolang e hlokahalang ea litlhaku tse nyenyane (haeba paramethara <0). Hangata ke 1.
  • dcredit - Palo e phahameng ea litefiso bakeng sa ho sebelisa linomoro (haeba paramethara> 0), kapa palo e tlase e hlokahalang ea linomoro (haeba paramethara <0). Ka ho feletseng ke 1.
  • ocredit - Palo e phahameng ea li-credits bakeng sa ho sebelisa matšoao a mang (haeba parameter> 0), kapa palo e fokolang e hlokahalang ea matšoao a mang (haeba parameter <0). Ka ho feletseng ke 1.
  • minclass - E beha palo ea litlelase tse hlokahalang. Lihlopha li kenyelletsa li-parameter tse ka holimo (litlhaku tse kholo, litlhaku tse nyenyane, linomoro, litlhaku tse ling). Hangata ke 0.
  • maxrepeat - Palo e phahameng ea makhetlo ao sebapali se ka phetoang ka password. Hangata ke 0.
  • maxclassrepeat - Palo e phahameng ea litlhaku tse latellanang sehlopheng se le seng. Hangata ke 0.
  • gecoscheck - Lekola hore na phasewete e na le mantsoe a tsoang likhoeleng tsa GECOS tsa mosebelisi. (Boitsebiso ba mosebelisi, ke hore, lebitso la 'nete, sebaka, joalo-joalo) Kamehla ke 0 (e tima).
  • dictpath – Ha re ee ho lidikishinari tsa cracklib.
  • meloko - Mantsoe a arohaneng le sebaka a thibetsoeng ho li-password (lebitso la Khampani, lentsoe "password", joalo-joalo).

Haeba maikutlo a likoloto a utloahala a makatsa, ho lokile, ho tloaelehile. Re tla bua haholoanyane ka sena likarolong tse latelang.

Tlhophiso ea Leano la Phasewete

Pele o qala ho hlophisa lifaele tsa tlhophiso, ke mokhoa o motle ho ngola leano la mantlha la password esale pele. Ka mohlala, re tla sebelisa melao e latelang ea bothata:

  • Phasewete e tlameha ho ba le bonyane bolelele ba litlhaku tse 15.
  • Sebopeho se tšoanang ha sea lokela ho phetoa ho feta habeli ka password.
  • Lihlopha tsa litlhaku li ka phetoa ho fihlela makhetlo a mane ka password.
  • Phasewete e tlameha ho ba le litlhaku tsa sehlopha ka seng.
  • Phasewete e ncha e tlameha ho ba le litlhaku tse ncha tse 5 ha li bapisoa le tsa khale.
  • Numella tlhahlobo ea GECOS.
  • Thibela mantsoe "password, pass, word, putorius"

Kaha joale re hlophisitse leano, re ka hlophisa faele /etc/security/pwquality.confho eketsa litlhoko tsa ho rarahana ha password. Ka tlase ke faele ea mohlala e nang le litlhaloso bakeng sa kutloisiso e molemo. 

# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius

Joalo ka ha u se u hlokometse, li-parameter tse ling faeleng ea rona ha li na thuso. Ka mohlala, parameter minclass ha e na thuso kaha re se re ntse re sebelisa bonyane litlhaku tse peli ho tsoa sehlopheng re sebelisa masimo [u,l,d,o]credit. Lethathamo la rona la mantsoe a ke keng a sebelisoa le lona ha le na thuso, kaha re thibetse ho pheta sehlopha leha e le sefe makhetlo a 4 (mantsoe 'ohle a lethathamong la rona a ngotsoe ka litlhaku tse nyenyane). Ke kenyelelitse likhetho tsena feela ho bonts'a mokhoa oa ho li sebelisa ho hlophisa leano la hau la password.
Ha u se u thehile pholisi ea hau, u ka qobella basebelisi ho fetola li-password tsa bona nakong e tlang ha ba kena. tsamaiso.

Ntho e ’ngoe e makatsang eo u ka ’nang ua e hlokomela ke hore masimo [u,l,d,o]credit e na le nomoro e nyahamisang. Lebaka ke hobane linomoro tse kholo ho feta kapa tse lekanang le 0 li tla u fa tlotla ka ho sebelisa lebitso la password ea hau. Haeba tšimo e na le nomoro e fosahetseng, ho bolela hore ho hlokahala palo e itseng.

Likalimo ke eng?

Ke li bitsa likalimo hobane li fetisa sepheo sa tsona ka nepo kamoo ho ka khonehang. Haeba boleng ba paramethara bo le boholo ho feta 0, o eketsa palo ea "character credits" e lekanang le "x" ho bolelele ba password. Ka mohlala, haeba li-parameter tsohle (u,l,d,o)credit beha ho 1 le phasewete e hlokehang bolelele e ne e 6, joale o tla hloka litlhaku 6 ho khotsofatsa tlhoko ea bolelele hobane mong le e mong litlhaku tse kholo, tse nyenyane, digit kapa tlhaku e 'ngoe tla u fa mokitlane e le' ngoe.

Haeba u kenya dcredit ka 2, u ne u ka theory ka sebelisa phasewete hore ke 9 litlhaku nako e telele 'me fumana 2 tlhaku credits bakeng sa linomoro,' me joale phasewete bolelele ba ka se a ntse a 10.

Sheba mohlala ona. Ke beha bolelele ba password ho 13, ke beha dcredit ho 2, le tse ling tsohle ho 0.

$ pwscore
 Thisistwelve
 Password quality check failed:
  The password is shorter than 13 characters

$ pwscore
 Th1sistwelve
 18

Cheke ea ka ea pele e ile ea hloleha hobane phasewete e ne e le bolelele ba litlhaku tse 13. Nakong e tlang ha ke fetola lengolo "I" ho nomoro "1" mme ke fumana likoloto tse peli bakeng sa linomoro, tse entseng hore phasewete e lekana le 13.

Tlhahlobo ea password

Package libpwquality e fana ka tshebetso e hlalositsoeng sehloohong. E boetse e tla le lenaneo pwscore, e etselitsoeng ho hlahloba ho rarahana ha password. Re e sebelisitse ka holimo ho hlahloba likalimo.
Tšebeliso pwscore bala ho tloha stdin. Matha feela ts'ebeliso ebe u ngola phasewete ea hau, e tla bonts'a phoso kapa boleng ho tloha ho 0 ho isa ho 100.

Lintlha tsa boleng ba password li amana le paramethara minlen faeleng ea tlhophiso. Ka kakaretso, lintlha tse ka tlaase ho 50 li nkoa e le "password e tloaelehileng", 'me lintlha tse ka holimo ho eona li nkoa e le "password e matla". Phasewete efe kapa efe e fetisang tlhahlobo ea boleng (haholo-holo netefatso e qobelloang cracklib) e tlameha ho mamella litlhaselo tsa dikishinari, le phasewete e nang le lintlha tse ka holimo ho 50 e nang le maemo minlen esita le ka ho sa feleng brute force litlhaselo.

fihlela qeto e

phetoho pwquality - e bonolo ebile e bonolo ha e bapisoa le tšitiso ea tšebeliso cracklib ka tokiso ea faele e otlolohileng pam. Tataisong ena, re koahetse tsohle tseo u tla li hloka ha u theha maano a password ho Red Hat 7, CentOS 7, esita le lits'ebetso tsa Ubuntu. Re boetse re buile ka taba ea mekoloto, eo hangata e seng e ngotsoe ka botlalo, kahoo hangata sehlooho sena se ne se sa hlaka ho ba neng ba e-so ka ba kopana le sona pele.

Lisebelisoa:

pwquality man page
pam_pwquality man page
leqephe la motho oa pwscore

Lihokela tse sebetsang:

Ho Khetha Li-password tse Sireletsehileng - Bruce Schneier
Lorrie Faith Cranor o bua ka lithuto tsa hae tsa password ho CMU
Papali e tummeng hampe ea xkcd ho Entropy

Source: www.habr.com

Eketsa ka tlhaloso