CW *_* II 6 linux password-management ubuntu
Ubuntu 文档 > Ubuntu 9.04 > Ubuntu 服务器指南 > 安全 > 用户管理指出 Ubuntu 有一个默认的最小密码长度:
默认情况下,Ubuntu 要求密码长度至少为 4 个字符
假设密码将由用户使用passwd. 是否有显示用户当前密码策略的chage命令(例如显示特定用户密码过期信息的命令)?
> sudo chage -l SomeUserName
Last password change : May 13, 2010
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
这不是检查控制策略的各个地方并解释它们,因为该过程可能包含错误。报告组合策略的命令将用于检查策略设置步骤。
OP 混淆了两个不同的问题:policy和password length。
正如@BillThor 已经说过的,密码长度由 PAM 模块处理,在非吉祥关键字下obscure,在文件 /etc/pam.d/common-password 中,其中包含以下行:
password [success=1 default=ignore] pam_unix.so obscure sha512
该obscure关键字代表(根据人的pam_unix):
obscure
Enable some extra checks on password strength. These checks are based on the "obscure" checks in the
original shadow package. The behavior is similar to the pam_cracklib module, but for
non-dictionary-based checks. The following checks are implemented:
Palindrome
Verifies that the new password is not a palindrome of (i.e., the reverse of) the previous one.
Case Change Only
Verifies that the new password isn't the same as the old one with a change of case.
Similar
Verifies that the new password isn't too much like the previous one.
Simple
Is the new password too simple? This is based on the length of the password and the number of
different types of characters (alpha, numeric, etc.) used.
Rotated
Is the new password a rotated version of the old password? (E.g., "billy" and "illyb")
obscure可以按如下方式覆盖处方:在/etc/pam.d/common-password 中,将上面的行重写为
password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=20
或任何你喜欢的。
找到定义最小长度密码的确切位置需要深入 pam:
# apt-cache search pam_unix.so
libpam-modules - Pluggable Authentication Modules for PAM
# apt-get source libpam-modules
...然后找到定义最小密码长度的位置:
# grep -rl UNIX_MIN_PASS_LEN
modules/pam_unix/support.h
modules/pam_unix/support.c
debian/patches-applied/007_modules_pam_unix
debian/patches-applied/055_pam_unix_nullok_secure
仔细阅读 debian 补丁,您将看到参数 UNIX_MIN_PASS_LEN(第 27 个可能的参数)对应于名为minlen的变量,该变量在 /modules/pam_unix/support.c 中设置。但是,debian 补丁修复之一pass_min_len:文件 debian/patches-applied/007_modules_pam_unix 包含以下行:
- int pass_min_len = 0;
+ int pass_min_len = 6;
并且文件 debian/Changelog 指定:
- 007_modules_pam_unix 的进一步清理——不要对 pass_min_len 使用全局变量,不要无端地将长度检查移到“晦涩”检查中,并将错误字符串国际化。
我一直不喜欢 PAM,因此:要定位诸如最小密码长度之类的微不足道的参数,它迫使您查看源代码。
显示的信息chage -l username完全包含在 /etc/shadow 文件中:手册页指出:
shadow 是一个文件,其中包含系统帐户的密码信息和可选的老化信息。
每个条目的字段是:
登录名、加密密码、上次密码更改日期、密码最短使用期限、密码最长使用期限、密码警告期限、密码不活动期限、帐户到期日期,以及供将来使用的保留字段。
只要仔细检查,一个strace的chage命令显示哪些文件被打开,
# strace -e trace=open -f chage -l myusername
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/proc/filesystems", O_RDONLY) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/etc/passwd", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW) = 3
open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW) = 4
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5
open("/usr/share/locale/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 5
Last password change : mag 05, 2014
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
+++ exited with 0 +++
该策略可在 /etc/pam.d/common-password 中找到。默认策略是模糊的,记录在 pam_unix 手册页中。您可能需要安装 pam_cracklib 并添加一些附加策略。root 更改密码通常会避开策略。
如果您没有使用 pam 来验证新密码,那么该策略将属于用于更改密码的工具。如果您使用 LDAP 或其他外部密码数据库并直接在数据库中更改密码,则可能会发生这种情况。
| 归档时间: |
|
| 查看次数: |
57505 次 |
| 最近记录: |