Password

儘管有密碼政策,但仍接受錯誤密碼

  • May 4, 2021

我正在開發嵌入式 Linux 發行版。

我正在嘗試通過pam_cracklib.so模組強制執行密碼策略

我修改了/etc/pam.d/common-password文件,現在看起來像這樣:

password        required                        pam_cracklib.so minlen=10
password        [success=1 default=ignore]      pam_unix.so obscure  sha512 use_authtok
password        requisite                       pam_deny.so
password        required                        pam_permit.so

所以我試圖強制執行“至少 10 個字元的密碼”策略,但是,插入“a”作為密碼會被通知為錯誤密碼,但不會被拒絕:

passwd
New password:   #inserted a
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password: #inserted a
passwd: password updated successfully #It should refuse such a weak password

有小費嗎?

編輯1:正如@berndbausch 所建議的,添加選項syslog後的增量(僅包括更改密碼後的部分)是:debug``pam_cracklib.so

May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { read write } for  pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
   May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=11 success=yes exit=0 a0=1011fae0 a1=1011fb18 a2=1011fd18 a3=ff8368c items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
   May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
   May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { write } for  pid=3084 comm="passwd" name="dev-log" dev="tmpfs" ino=1169 scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
   May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { sendto } for  pid=3084 comm="passwd" path="/run/systemd/journal/dev-log" scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=1
   May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=102 success=yes exit=0 a0=3 a1=bff25db4 a2=6e a3=60 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
   May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
   May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { ioctl } for  pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
   May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=54 success=yes exit=0 a0=0 a1=402c7413 a2=bff25828 a3=1001d090 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
   May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
   May  3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start timed out.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Timed out waiting for device dev-ttyEHV0.device.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Dependency failed for Serial Getty on ttyEHV0.
   May  3 13:00:05 namc8569-xe1 systemd[1]: serial-getty@ttyEHV0.service: Job serial-getty@ttyEHV0.service/start failed with result 'dependency'.
   May  3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start failed with result 'timeout'.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Reached target Login Prompts.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Reached target Multi-User System.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Starting Update UTMP about System Runlevel Changes...
   May  3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
   May  3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
   May  3 13:00:05 namc8569-xe1 audit[3090]: SYSTEM_RUNLEVEL pid=3090 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
   May  3 13:00:05 namc8569-xe1 systemd[1]: Started Update UTMP about System Runlevel Changes.
   May  3 13:00:05 namc8569-xe1 systemd[1]: Startup finished in 1.703s (kernel) + 1min 31.908s (userspace) = 1min 33.612s.
   May  3 13:00:05 namc8569-xe1 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
   May  3 13:00:05 namc8569-xe1 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

root(或任何具有 uid 0 的使用者)通常可以將其密碼更改為所需的任何內容(見下文)。

嘗試使用普通(非 uid 0)使用者進行測試

@LL3 添加了這個重要資訊:“請注意,這實際上仍然是一個政策問題,因為pam_cracklib如果帳戶是 root,它本身不會返回“失敗”。請參閱enforce_for_root選項pam_cracklib

引用自:https://unix.stackexchange.com/questions/647994

相關問答

Security

為什麼輸入錯誤密碼後延遲很大?

  • June 1, 2021
檢視問答
Password

是否可以阻止使用者使用 PAM 更改密碼?

  • November 12, 2020
檢視問答
Ssh

pam_ssh_agent_auth:sudo 要求 ssh user@host 輸入密碼,但 ssh user@host ‘bash’ 不是

  • November 10, 2020
檢視問答
Linux

是否可以在 linux 中更改密碼數據庫文件(/etc/passwd)?

  • October 6, 2020
檢視問答
Users

允許 user1 在沒有密碼的情況下“su - user2”

  • November 19, 2019
檢視問答
Linux-Mint

密碼失敗延遲太長 - Linux Mint 17

  • February 15, 2019
檢視問答