尽管有密码政策,但仍接受错误密码

tag-icon tag-icon password pam
尽管有密码政策,但仍接受错误密码

我正在开发一个嵌入式 Linux 发行版。

pam_cracklib.so我正在尝试通过模块强制执行密码策略

我修改了该/etc/pam.d/common-password文件,现在看起来像这样:

password        required                        pam_cracklib.so minlen=10
password        [success=1 default=ignore]      pam_unix.so obscure  sha512 use_authtok
password        requisite                       pam_deny.so
password        required                        pam_permit.so

因此,我尝试强制执行“密码至少包含 10 个字符”的政策,但尽管如此,插入“a”作为密码会被通知为错误密码,但不会被拒绝:

passwd
New password:   #inserted a
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password: #inserted a
passwd: password updated successfully #It should refuse such a weak password

有小费吗?

编辑1:按照@berndbausch的建议,添加选项syslog后的增量(仅包括更改密码后的部分)为:debugpam_cracklib.so

May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { read write } for  pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
    May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=11 success=yes exit=0 a0=1011fae0 a1=1011fb18 a2=1011fd18 a3=ff8368c items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
    May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
    May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { write } for  pid=3084 comm="passwd" name="dev-log" dev="tmpfs" ino=1169 scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
    May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { sendto } for  pid=3084 comm="passwd" path="/run/systemd/journal/dev-log" scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=1
    May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=102 success=yes exit=0 a0=3 a1=bff25db4 a2=6e a3=60 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
    May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
    May  3 13:00:01 namc8569-xe1 audit[3084]: AVC avc:  denied  { ioctl } for  pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
    May  3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=54 success=yes exit=0 a0=0 a1=402c7413 a2=bff25828 a3=1001d090 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
    May  3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
    May  3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start timed out.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Timed out waiting for device dev-ttyEHV0.device.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Dependency failed for Serial Getty on ttyEHV0.
    May  3 13:00:05 namc8569-xe1 systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
    May  3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start failed with result 'timeout'.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Reached target Login Prompts.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Reached target Multi-User System.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Starting Update UTMP about System Runlevel Changes...
    May  3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    May  3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    May  3 13:00:05 namc8569-xe1 audit[3090]: SYSTEM_RUNLEVEL pid=3090 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
    May  3 13:00:05 namc8569-xe1 systemd[1]: Started Update UTMP about System Runlevel Changes.
    May  3 13:00:05 namc8569-xe1 systemd[1]: Startup finished in 1.703s (kernel) + 1min 31.908s (userspace) = 1min 33.612s.
    May  3 13:00:05 namc8569-xe1 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    May  3 13:00:05 namc8569-xe1 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

答案1

root(或 uid 0 的任何用户)通常可以将其密码更改为所需的任何内容(见下文)。

尝试使用普通用户(非 uid 0)进行测试

@LL3 添加了这个重要信息:“请注意,这实际上仍然是一个策略问题,因为pam_cracklib如果帐户是 root,它本身不会返回“失败”。请参阅“enforce_for_root的选项pam_cracklib

相关内容