我正在开发一个嵌入式 Linux 发行版。
pam_cracklib.so
我正在尝试通过模块强制执行密码策略
我修改了该/etc/pam.d/common-password
文件,现在看起来像这样:
password required pam_cracklib.so minlen=10
password [success=1 default=ignore] pam_unix.so obscure sha512 use_authtok
password requisite pam_deny.so
password required pam_permit.so
因此,我尝试强制执行“密码至少包含 10 个字符”的政策,但尽管如此,插入“a”作为密码会被通知为错误密码,但不会被拒绝:
passwd
New password: #inserted a
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password: #inserted a
passwd: password updated successfully #It should refuse such a weak password
有小费吗?
编辑1:按照@berndbausch的建议,添加选项syslog
后的增量(仅包括更改密码后的部分)为:debug
pam_cracklib.so
May 3 13:00:01 namc8569-xe1 audit[3084]: AVC avc: denied { read write } for pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
May 3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=11 success=yes exit=0 a0=1011fae0 a1=1011fb18 a2=1011fd18 a3=ff8368c items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
May 3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
May 3 13:00:01 namc8569-xe1 audit[3084]: AVC avc: denied { write } for pid=3084 comm="passwd" name="dev-log" dev="tmpfs" ino=1169 scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1
May 3 13:00:01 namc8569-xe1 audit[3084]: AVC avc: denied { sendto } for pid=3084 comm="passwd" path="/run/systemd/journal/dev-log" scontext=root:sysadm_r:passwd_t:s0 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=1
May 3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=102 success=yes exit=0 a0=3 a1=bff25db4 a2=6e a3=60 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
May 3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
May 3 13:00:01 namc8569-xe1 audit[3084]: AVC avc: denied { ioctl } for pid=3084 comm="passwd" path="/dev/pts/0" dev="devpts" ino=3 scontext=root:sysadm_r:passwd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file permissive=1
May 3 13:00:01 namc8569-xe1 audit[3084]: SYSCALL arch=14 syscall=54 success=yes exit=0 a0=0 a1=402c7413 a2=bff25828 a3=1001d090 items=0 ppid=3080 pid=3084 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="passwd" exe="/usr/bin/passwd.shadow" subj=root:sysadm_r:passwd_t:s0 key=(null)
May 3 13:00:01 namc8569-xe1 audit: PROCTITLE proctitle="passwd"
May 3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start timed out.
May 3 13:00:05 namc8569-xe1 systemd[1]: Timed out waiting for device dev-ttyEHV0.device.
May 3 13:00:05 namc8569-xe1 systemd[1]: Dependency failed for Serial Getty on ttyEHV0.
May 3 13:00:05 namc8569-xe1 systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
May 3 13:00:05 namc8569-xe1 systemd[1]: dev-ttyEHV0.device: Job dev-ttyEHV0.device/start failed with result 'timeout'.
May 3 13:00:05 namc8569-xe1 systemd[1]: Reached target Login Prompts.
May 3 13:00:05 namc8569-xe1 systemd[1]: Reached target Multi-User System.
May 3 13:00:05 namc8569-xe1 systemd[1]: Starting Update UTMP about System Runlevel Changes...
May 3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
May 3 13:00:05 namc8569-xe1 audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='Unknown class service exe="/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
May 3 13:00:05 namc8569-xe1 audit[3090]: SYSTEM_RUNLEVEL pid=3090 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='old-level=N new-level=3 comm="systemd-update-utmp" exe="/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success'
May 3 13:00:05 namc8569-xe1 systemd[1]: Started Update UTMP about System Runlevel Changes.
May 3 13:00:05 namc8569-xe1 systemd[1]: Startup finished in 1.703s (kernel) + 1min 31.908s (userspace) = 1min 33.612s.
May 3 13:00:05 namc8569-xe1 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
May 3 13:00:05 namc8569-xe1 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
答案1
root(或 uid 0 的任何用户)通常可以将其密码更改为所需的任何内容(见下文)。
尝试使用普通用户(非 uid 0)进行测试
@LL3 添加了这个重要信息:“请注意,这实际上仍然是一个策略问题,因为pam_cracklib
如果帐户是 root,它本身不会返回“失败”。请参阅“enforce_for_root
的选项pam_cracklib