shadow-4.5-passwd在fedora22-powerpc上passwd的配置文件引起的口令策略校验失效问题
发布日期:2021-06-30 22:17:52
浏览次数:2
分类:技术文章
本文共 6241 字,大约阅读时间需要 20 分钟。
前言
同事在fedora22-PC版上,配置出了可用的password策略. 输入不合规的口令,会有警告或报错提示.
将同样的配置文件挪到fedora22-powerpc版上,passwd执行后,输入不合规的口令,可以完成口令修改。 我没有找到fedora22原版的passwd工程下载,用的是gnu-shadow-4.5中的passwd工程。 现在怀疑是配置文件条目不同引起的问题(gnu的代码写的刚刚的,也不敢怀疑:))排错
gdb -tui –args ./passwd user_test
break new_password runnew_password 中对PASS_ALWAYS_WARN配置项进行了检查
if (amroot && !warned && getdef_bool ("PASS_ALWAYS_WARN") && (!obscure (orig, pass, pw) || reuse (pass, pw))) { (void) puts (_("\nWarning: weak password (enter it again to use it anyway).")); warned = true; continue; }
检查代码有与的关系, 如果PASS_ALWAYS_WARN 项的bool值不是yes, 后面的检查(obscure(), reuse())不会被执行了,导致口令检查策略失效.
obscure_msg 处判断了login.defs OBSCURE_CHECKS_ENAB yes 到了obscure_msg中, 就可以看到口令检查的全过程。 发现了login.defs 缺OBSCURE_CHECKS_ENAB配置项后,补全了先试了一下,口令检查策略文件已经生效了,就没有再继续观赏剩下的口令检查实现.bool obscure (const char *old, const char *new, const struct passwd *pwdp){ const char *msg = obscure_msg (old, new, pwdp); if (NULL != msg) { printf (_("Bad password: %s. "), msg); return false; } return true;}static /*@observer@*//*@null@*/const char *obscure_msg ( /*@notnull@*/const char *old, /*@notnull@*/const char *new, /*@notnull@*/const struct passwd *pwdp){ size_t maxlen, oldlen, newlen; char *new1, *old1; const char *msg; const char *result; oldlen = strlen (old); newlen = strlen (new); if (newlen < (size_t) getdef_num ("PASS_MIN_LEN", 0)) { return _("too short"); } /* * Remaining checks are optional. */ if (!getdef_bool ("OBSCURE_CHECKS_ENAB")) { return NULL; } msg = password_check (old, new, pwdp); if (NULL != msg) { return msg; } result = getdef_str ("ENCRYPT_METHOD"); if (NULL == result) { /* The traditional crypt() truncates passwords to 8 chars. It is possible to circumvent the above checks by choosing an easy 8-char password and adding some random characters to it... Example: "password$%^&*123". So check it again, this time truncated to the maximum length. Idea from npasswd. --marekm */ if (getdef_bool ("MD5_CRYPT_ENAB")) { return NULL; } } else { if ( (strcmp (result, "MD5") == 0)#ifdef USE_SHA_CRYPT || (strcmp (result, "SHA256") == 0) || (strcmp (result, "SHA512") == 0)#endif ) { return NULL; } } maxlen = (size_t) getdef_num ("PASS_MAX_LEN", 8); if ( (oldlen <= maxlen) && (newlen <= maxlen)) { return NULL; } new1 = xstrdup (new); old1 = xstrdup (old); if (newlen > maxlen) { new1[maxlen] = '\0'; } if (oldlen > maxlen) { old1[maxlen] = '\0'; } msg = password_check (old1, new1, pwdp); memzero (new1, newlen); memzero (old1, oldlen); free (new1); free (old1); return msg;}
最后修正的配置文件
etc/login.defs
必须有的2项配置
PASS_ALWAYS_WARN yes
OBSCURE_CHECKS_ENAB yes 如果没有这2项,不继续向后检查口令是否符合策略要求了.完整配置文件
## Please note that the parameters in this configuration file control the# behavior of the tools from the shadow-utils component. None of these# tools uses the PAM mechanism, and the utilities that use PAM (such as the# passwd command) should therefore be configured elsewhere. Refer to# /etc/pam.d/system-auth for more information.## *REQUIRED*# Directory where mailboxes reside, _or_ name of file, relative to the# home directory. If you _do_ define both, MAIL_DIR takes precedence.# QMAIL_DIR is for Qmail##QMAIL_DIR MaildirMAIL_DIR /var/spool/mail#MAIL_FILE .mail# Password aging controls:## PASS_MAX_DAYS Maximum number of days a password may be used.# PASS_MIN_DAYS Minimum number of days allowed between password changes.# PASS_MIN_LEN Minimum acceptable password length.# PASS_WARN_AGE Number of days warning given before a password expires.#PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 5PASS_WARN_AGE 7PASS_ALWAYS_WARN yesOBSCURE_CHECKS_ENAB yes## Min/max values for automatic uid selection in useradd#UID_MIN 1000UID_MAX 60000# System accountsSYS_UID_MIN 201SYS_UID_MAX 999## Min/max values for automatic gid selection in groupadd#GID_MIN 1000GID_MAX 60000# System accountsSYS_GID_MIN 201SYS_GID_MAX 999## If defined, this command is run when removing a user.# It should remove any at/cron/print jobs etc. owned by# the user to be removed (passed as the first argument).##USERDEL_CMD /usr/sbin/userdel_local## If useradd should create home directories for users by default# On RH systems, we do. This option is overridden with the -m flag on# useradd command line.#CREATE_HOME yes# The permission mask is initialized to this value. If not specified, # the permission mask will be initialized to 022.UMASK 077# This enables userdel to remove user groups if no members exist.#USERGROUPS_ENAB yes# Use SHA512 to encrypt password.ENCRYPT_METHOD MD5MD5_CRYPT_ENAB yes
/etc/pam.d/system-auth
这个配置文件可能是 /etc/pam.d/system-auth-ac 的软连接
这配置文件没动,本身就是正确的. 加了口令校验配置项.#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 1000 quiet_successauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 1000 quietaccount required pam_permit.sopassword requisite pam_cracklib.so retry=2 difok=10 minlen=6 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root#password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so
总结
开源软件是好,只要解决了编译问题,编译用-g选项不带-O2, 有个gdb, 有啥问题都可以单步明白。
转载地址:https://lostspeed.blog.csdn.net/article/details/80684579 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!
发表评论
最新留言
网站不错 人气很旺了 加油
[***.192.178.218]2024年04月28日 23时39分56秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
Linux之 关于VM虚拟机网卡的设置
2019-05-01
Lnmp环境搭建之php-7.2.19安装配置
2019-05-01
《增长黑客》(肖恩·艾利斯)学习笔记——第一部分 方法
2019-05-01
《增长黑客》(肖恩·艾利斯)学习笔记——第二部分 实战
2019-05-01
冒泡排序及优化(JAVA算法)
2019-05-01
九九乘法表(Java,JavaScript)
2019-05-01
Mysql学习笔记(9):数据类型和约束
2019-05-01
Mysql学习笔记(10):事务、视图
2019-05-01
JDBC学习笔记(1):JDBC概述
2019-05-01
JAVA进阶学习笔记(8):反射
2019-05-01
JDBC学习笔记(2):获取数据库连接
2019-05-01
作用域 & 作用域链(ES6学习笔记)
2019-05-01
let & const(ES6学习笔记)
2019-05-01
解构赋值(ES6学习笔记)
2019-05-01
原始值与引用值(ES6学习笔记)
2019-05-01
python使用HTMLTestRunner查看运行函数
2019-05-01