如何显示用户的密码策略信息(Ubuntu)?

如何显示用户的密码策略信息(Ubuntu)?

Ubuntu 文档 > Ubuntu 9.04 > Ubuntu 服务器指南 > 安全 > 用户管理指出 Ubuntu 的默认最小密码长度:

默认情况下,Ubuntu 要求密码长度至少为 4 个字符

假设用户要使用 来修改密码passwd。是否有命令可以显示用户当前的密码策略(例如,该chage命令显示特定用户的密码过期信息)?

> sudo chage -l SomeUserName
Last password change                                : May 13, 2010
Password expires                                    : never
Password inactive                                   : never
Account expires                                     : never
Minimum number of days between password change      : 0
Maximum number of days between password change      : 99999
Number of days of warning before password expires   : 7

这并非是检查控制策略的各个位置并对其进行解释,因为该过程可能包含错误。报告组合策略的命令可用于检查策略设置步骤。

答案1

OP混淆了两个不同的问题:政策密码长度

正如 @BillThor 所说,密码长度由 PAM 模块处理,obscure在文件 /etc/pam.d/common-password 中不太吉利的关键字下,其中包含以下行:

 password        [success=1 default=ignore]      pam_unix.so obscure sha512

obscure关键字代表(根据手册 pam_unix):

 obscure
       Enable some extra checks on password strength. These checks are based on the "obscure" checks in the
       original shadow package. The behavior is similar to the pam_cracklib module, but for
       non-dictionary-based checks. The following checks are implemented:

       Palindrome
           Verifies that the new password is not a palindrome of (i.e., the reverse of) the previous one.

       Case Change Only
           Verifies that the new password isn't the same as the old one with a change of case.

       Similar
           Verifies that the new password isn't too much like the previous one.

       Simple
           Is the new password too simple? This is based on the length of the password and the number of
           different types of characters (alpha, numeric, etc.) used.

       Rotated
           Is the new password a rotated version of the old password? (E.g., "billy" and "illyb")

可以按如下方式覆盖该规定obscure:在 /etc/pam.d/common-password 中,将上面的行重写为

 password        [success=1 default=ignore]      pam_unix.so obscure sha512 minlen=20

或任何你喜欢的。

要找到定义最小长度密码的确切位置,需要深入研究 pam:

  # apt-cache search pam_unix.so
    libpam-modules - Pluggable Authentication Modules for PAM
  # apt-get source libpam-modules

...然后找到定义最小密码长度的位置:

  # grep -rl UNIX_MIN_PASS_LEN
    modules/pam_unix/support.h
    modules/pam_unix/support.c
    debian/patches-applied/007_modules_pam_unix
    debian/patches-applied/055_pam_unix_nullok_secure

仔细阅读 Debian 补丁,你会发现参数 UNIX_MIN_PASS_LEN(第 27 个可能的参数)对应于一个名为明伦,该设置位于 /modules/pam_unix/support.c 中。但是,其中一个 Debian 补丁修复了该问题pass_min_len:文件 debian/patches-applied/007_modules_pam_unix 包含以下行:

 -       int pass_min_len = 0;
 +       int pass_min_len = 6;

文件 debian/Changelog 指定:

  • 进一步清理 007_modules_pam_unix — 不要对 pass_min_len 使用全局变量,不要将长度检查随意移入“模糊”检查,并将错误字符串国际化。

我一直不喜欢 PAM,原因是:为了找到像最小密码长度这样的简单参数,它迫使你查看源代码。

显示的信息chage -l username完全包含在 /etc/shadow 文件中:手册页状态:

shadow 是一个包含系统账户密码信息和可选老化信息的文件。

每个条目的字段为:

登录名、加密密码、上次更改密码的日期、密码最短使用期限、密码最长使用期限、密码警告期、密码不活动期、帐户到期日期,以及为将来使用而保留的字段。

只需再检查一下,命令strace之一chage会显示哪些文件已打开,

 # strace -e trace=open -f chage -l myusername
   open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
   open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
   open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
   open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
   open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3                                                                                                                                                                                                               
   open("/proc/filesystems", O_RDONLY)     = 3                                                                                                                                                                                                                                    
   open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3                                                                                                                                                                                                                 
   open("/etc/passwd", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW) = 3                                                                                                                                                                                                               
   open("/etc/shadow", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW) = 4                                                                                                                                                                                                               
   open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5                                                                                                                                                                                                                 
   open("/usr/share/locale/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such      file or directory)                                                                                                                                                                        
   open("/usr/share/locale/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)                                                                                                                                                                           
   open("/usr/share/locale-langpack/en_US/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)                                                                                                                                                               
   open("/usr/share/locale-langpack/en/LC_MESSAGES/shadow.mo", O_RDONLY) = -1 ENOENT (No such file or directory)                                                                                                                                                                  
   open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 5                                                                                                                                                                                                                                 
   Last password change                                    : mag 05, 2014                                                                                                                                                                                                         
   Password expires                                        : never                                                                                                                                                                                                                
   Password inactive                                       : never                                                                                                                                                                                                                
   Account expires                                         : never                                                                                                                                                                                                                
   Minimum number of days between password change          : 0                                                                                                                                                                                                                    
   Maximum number of days between password change          : 99999                                                                                                                                                                                                                
   Number of days of warning before password expires       : 7                                                                                                                                                                                                                    
   +++ exited with 0 +++                                                 

答案2

该策略位于 /etc/pam.d/common-password 中。默认策略不明确,在 pam_unix 手册页中有记录。您可能需要安装 pam_cracklib 并添加一些附加策略。root 密码更改通常可以避免这些策略。

如果您不使用 pam 来验证新密码,则该策略将属于用于更改密码的工具。如果您使用 LDAP 或其他外部密码数据库并直接在数据库中更改密码,则可能会发生这种情况。

相关内容