ProHoster > Ibhulogi > Ulawulo > Ukwenza uMgaqo-nkqubo wegama lokugqithisa kwi-Linux

Ukwenza uMgaqo-nkqubo wegama lokugqithisa kwi-Linux

Molo kwakhona! Iiklasi kwiqela lekhosi elitsha ziqala ngomso "Umlawuli weLinux", kule nkalo, sipapasha inqaku eliluncedo ngesihloko.

Ukwenza uMgaqo-nkqubo wegama lokugqithisa kwi-Linux

Kwisifundo esidlulileyo sikuxelele indlela yokusebenzisa pam_cracklibukwenza amagama agqithisiweyo kwiindlela ezintsonkothileyo Umnqwazi obomvu 6 okanye i-CentOS. Kwi-Red Hat 7 pam_pwquality indawo cracklib Njengoko pam imodyuli engagqibekanga yokukhangela amagama agqithisiweyo. Imodyuli pam_pwquality ikwaxhaswa ku-Ubuntu kunye ne-CentOS, kunye nezinye ii-OS ezininzi. Lo mnqongo wenza kube lula ukwenza imigaqo-nkqubo yegama lokugqitha ukuqinisekisa ukuba abasebenzisi bayayamkela imigangatho yakho yamandla egama lokugqitha.

Ixesha elide, indlela eqhelekileyo kwiiphasiwedi yayikukunyanzela umsebenzisi ukuba asebenzise oonobumba abakhulu, abancinci, amanani, okanye ezinye iisimboli. Le migaqo isisiseko yokuntsonkotha kwe-password ikhuthazwe ngokubanzi kule minyaka ilishumi idlulileyo. Kubekho iingxoxo ezininzi malunga nokuba oku kukwenza okulungileyo okanye hayi. Ingxoxo ephambili echasene nokumisela iimeko ezinzima ngolo hlobo yayikukuba abasebenzisi babhale phantsi amagama ayimfihlo kuqweqwe lwamaphepha kwaye bawagcine ngokungakhuselekanga.

Omnye umgaqo-nkqubo osandul' ukubizwa nemibuzo unyanzela abasebenzisi ukuba batshintshe amagama abo ayimfihlo rhoqo ngeentsuku x. Kukho uphando oluye lwabonisa ukuba oku kukwayingozi kukhuseleko.

Amanqaku amaninzi abhalwe kwisihloko sezi ngxoxo, ezixhasa imbono enye okanye enye. Kodwa asiyiyo le nto siza kuxubusha ngayo kweli nqaku. Eli nqaku liza kuthetha malunga nendlela yokuseta ngokuchanekileyo ukuntsonkotha kwegama lokugqitha kunokulawula umgaqo-nkqubo wokhuseleko.

Imimiselo yoMgaqo-nkqubo wegama lokugqithisa

Ngezantsi uza kubona iinketho zomgaqo-nkqubo wegama lokugqitha kunye nenkcazo emfutshane yazo zonke. Uninzi lwazo luyafana neeparamitha kwimodyuli cracklib. Le ndlela yokwenza kube lula ukufaka imigaqo-nkqubo yakho kwinkqubo yelifa.

  • idifok -Inani labalinganiswa kwigama lokugqitha lakho elitsha AKUFUNEKA libe khona kwiphasiwedi yakho endala. (Okuhlala kukho 5)
  • minlen - Ubuncinci bobude bephasiwedi. (Okuhlala kukho 9)
  • ucredit – Ubuninzi benani leekhredithi zokusebenzisa oonobumba abakhulu (ukuba iparamitha > 0), okanye ubuncinane benani elifunekayo loonobumba abakhulu (ukuba iparamitha <0). Ukuhlala kukho 1.
  • Ngetyala β€” Ubuninzi benani lekhredithi ekusebenziseni oonobumba abancinci (ukuba ipharamitha > 0), okanye inani elincinci elifunekayo loonobumba abancinci (ukuba ipharamitha <0). Ukuhlala kukho 1.
  • dcredit β€” Elona nani liphezulu leekhredithi zokusebenzisa amadijithi (ukuba iparamitha > 0), okanye inani elincinane elifunekayo lamanani (ukuba iparameter < 0). Ukuhlala kukho 1.
  • ocredit β€” Elona nani liphezulu leekhredithi zokusebenzisa ezinye iisimboli (ukuba iparamitha > 0), okanye inani elincinane elifunekayo lezinye iimpawu (ukuba iparamitha <0). Ukuhlala kukho 1.
  • iklasi encinci – Iseta inani leeklasi ezifunekayo. Iiklasi ziquka ezi parameters zingentla (oonobumba abaphezulu, abancinci, amanani, abanye oonobumba). Ukuhlala kukho ngu-0.
  • maxrepeat -Awona maxesha amaninzi unobumba anokuphindwa kwi-password. Ukuhlala kukho ngu-0.
  • maxclassrepeat β€” Elona nani liphezulu labalinganiswa abalandelelanayo kwiklasi enye. Ukuhlala kukho ngu-0.
  • gecoscheck -Ijonga ukuba igama eligqithisiweyo liqulethe nawaphi na amagama asuka kumtya we-GECOS yomsebenzisi. (Ulwazi lomsebenzisi, o.t. igama lokwenyani, indawo, njl.njl.) Ukuhlala kukho ngu-0 (cimile).
  • indlela yokuchaza – Masiye kwizichazi-magama ze-cracklib.
  • amagama -Amagama ahlulwe kwindawo engavumelekanga kwiiphasiwedi (igama lenkampani, igama elithi "password", njl.).

Ukuba ingcamango yemali mboleko ivakala ingaqhelekanga, kulungile, kuqhelekile. Siza kuthetha ngakumbi malunga noku kumacandelo alandelayo.

Uqwalaselo loMgaqo-nkqubo wegama lokugqithisa

Phambi kokuba uqalise ukuhlela iifayile zoqwalaselo, luqhelo olulungileyo ukubhala phantsi umgaqo-nkqubo osisiseko wegama lokugqitha kwangaphambili. Umzekelo, siya kusebenzisa le migaqo yobunzima ilandelayo:

  • I-password kufuneka ibenobude obuncinci beempawu ezili-15.
  • Umbhalo ofanayo akufuneki uphindaphindwe ngaphezu kwesibini kwi-password.
  • Iiklasi zoonobumba zinokuphinda-phinda ukuya kuthi ga kane kwi-password.
  • Igama lokugqitha kufuneka liqulathe abalinganiswa kudidi ngalunye.
  • I-password entsha kufuneka ibe namagama amatsha ama-5 xa kuthelekiswa nendala.
  • Yenza utsheki lwe-GECOS lusebenze.
  • Yalela amagama athi "password, pass, word, putorius"

Ngoku siwubekile umgaqo-nkqubo, singayihlela ifayile /etc/security/pwquality.confukwandisa iimfuno zokuntsokotha kwephasiwedi. Ngezantsi ifayile yomzekelo enezimvo zokuqonda okungcono. 

# Make sure 5 characters in new password are new compared to old password
difok = 5
# Set the minimum length acceptable for new passwords
minlen = 15
# Require at least 2 digits
dcredit = -2
# Require at least 2 upper case letters
ucredit = -2
# Require at least 2 lower case letters
lcredit = -2
# Require at least 2 special characters (non-alphanumeric)
ocredit = -2
# Require a character from every class (upper, lower, digit, other)
minclass = 4
# Only allow each character to be repeated twice, avoid things like LLL
maxrepeat = 2
# Only allow a class to be repeated 4 times
maxclassrepeat = 4
# Check user information (Real name, etc) to ensure it is not used in password
gecoscheck = 1
# Leave default dictionary path
dictpath =
# Forbid the following words in passwords
badwords = password pass word putorius

Njengoko usenokuba uqaphele, ezinye iiparameters kwifayile yethu azinamsebenzi. Umzekelo, iparameter minclass ayifuneki kuba sele sisebenzisa ubuncinci abalinganiswa ababini abasuka eklasini sisebenzisa imihlaba [u,l,d,o]credit. Uluhlu lwethu lwamagama olungenakusetyenziswa nawo alunamsebenzi, kuba siye sanqanda ukuphinda nayiphi na iklasi amaxesha angama-4 (onke amagama akuluhlu lwethu abhalwe ngoonobumba abancinci). Ndibandakanyile ezi nketho ukubonisa kuphela indlela yokuzisebenzisa ukumisela ipolisi yakho yegama lokugqitha.
Nje ukuba wenze ipolisi yakho, unokunyanzela abasebenzisi ukuba batshintshe amagama abo ayimfihlo kwixesha elizayo xa bengena. систСму.

Enye into engaqhelekanga onokuthi uyiqaphele kukuba amasimi [u,l,d,o]credit qulathe inani elithabathayo. Oku kungenxa yokuba amanani amakhulu kuno-0 okanye alingana no-XNUMX ayakunika ikhredithi ngokusebenzisa unobumba kwi-password yakho. Ukuba intsimi iqulethe inani elibi, oko kuthetha ukuba kufuneka ubungakanani obuthile.

Yintoni imali-mboleko?

Ndibabiza ngokuba yimali-mboleko kuba loo nto idlulisela injongo yabo ngokuchanekileyo kangangoko. Ukuba ixabiso leparameter likhulu kuno-0, wongeza inani elithi "character credits" elilingana no "x" kubude begama lokugqitha. Umzekelo, ukuba zonke iiparamitha (u,l,d,o)credit ukuseta ku-1 kunye nobude begama eligqithisiweyo obufunekayo besi-6, ngoko uzakufuna amagama ama-6 ukwanelisa imfuno yobude kuba unonobumba omkhulu ngamnye, unobumba omncinci, umvo okanye omnye unobumba uzakukunika ikhredithi enye.

Ukuba uyafaka dcredit ngo-2, ungasebenzisa ngokwethiyori igama lokugqitha elinamagama ayi-9 ubude kwaye ufumane amakhredithi oonobumba aba-2 bamanani, kwaye ke ubude begama lokugqitha bunokuba ngu-10.

Jonga lo mzekelo. Ndiseta ubude begama eliyimfihlo ukuya ku-13, ndiseta i-dcredit ku-2, kunye nayo yonke enye into ku-0.

$ pwscore
 Thisistwelve
 Password quality check failed:
  The password is shorter than 13 characters

$ pwscore
 Th1sistwelve
 18

Utsheki lwam lokuqala aluphumelelanga kuba igama eliyimfihlo lalingaphantsi koonobumba abali-13 ubude. Ngexesha elizayo xa nditshintshe unobumba "mna" kwinombolo "1" kwaye ndafumana iikhredithi ezimbini zamanani, okwenza igama eliyimfihlo lilingane no-13.

Uvavanyo lwegama lokugqithisa

Iphakheji libpwquality inikeza umsebenzi ochazwe kwinqaku. Ikwaza neprogram pwscore, eyilelwe ukujonga ukuntsokotha kwegama lokugqitha. Siyisebenzise ngasentla ukujonga iimali-mboleko.
Uncedo pwscore ifunda ukusuka stdin. Qhuba nje usetyenziso kwaye ubhale igama eligqithisiweyo, liya kubonisa impazamo okanye ixabiso ukusuka ku-0 ukuya kwi-100.

Inqaku lomgangatho wephasiwedi linxulumene nepharamitha minlen kwifayile yoqwalaselo. Ngokuqhelekileyo, amanqaku angaphantsi kwama-50 athathwa njenge "password eqhelekileyo", kwaye amanqaku angaphezulu kwawo athathwa njenge "password eyomeleleyo". Naliphi na igama lokugqitha eligqithisa ukujongwa komgangatho (ingakumbi uqinisekiso olunyanzelweyo cracklib) kufuneka imelane nohlaselo lwesichazi-magama, kunye negama lokugqitha elinamanqaku angaphezu kwama-50 kunye nesicwangciso minlen nangokungagqibekanga brute force uhlaselo.

isiphelo

Yenza ngokwezifiso pwquality -Kulula kwaye kulula xa kuthelekiswa nokuphazamiseka kokusetyenziswa cracklib ngohlelo oluthe ngqo lwefayile pam. Kwesi sikhokelo, sigqume yonke into oya kuyidinga xa useka imigaqo-nkqubo yegama eliyimfihlo kwiRed Hat 7, CentOS 7, kunye neenkqubo ze-Ubuntu. Siphinde sathetha ngombono wemali-mboleko, engafane ibhalwe ngokweenkcukacha, ngoko esi sihloko sasihlala singacacanga kwabo bangazange bahlangabezane naso ngaphambili.

Imithombo:

pwquality iphepha lomntu
pam_pwquality iphepha lomntu
pwscore iphepha lomntu

Amakhonkco aluncedo:

Ukukhetha iiPasswords eziKhuselekileyo - uBruce Schneier
U-Lorrie Faith Cranor uxoxa ngezifundo zakhe eziyimfihlo kwi-CMU
Ikhathuni edumileyo ye-xkcd kwi-Entropy

umthombo: www.habr.com

Yongeza izimvo