前言
对passwd做了些完善,给同事测试,说不好使。原因是/etc/pam.d/system-auth中配置的策略项不好使。
这不是埋汰gnu那帮大神么 :)
去看了下passwd检查口令安全性的实现,果真没有读取/etc/pam.d/system-auth的内容…,只读取了etc/login.defs.
具体检查在obscure.c::simple()函数中, 看名字就知道obscure.c是检查对象安全的。
simple()函数里面写死的判断,大神们还加了注释,说如果口令如果小于8位,必须有2种类型(数字,大写,小写,特殊字符)的字符.
/*
* The scam is this - a password of only one character type
* must be 8 letters long. Two types, 7, and so on.
*/
其实口令至少要有多长,已经在etc/login.defs做了限制,已经检查了.
进行了修正, 要满足至少3种类型(数字,大写,小写,特殊字符)的字符才算合规。
修正后的代码
/*
* a nice mix of characters.
*/
static bool simple (unused const char *old, const char *new)
{
bool digits = false;
bool uppers = false;
bool lowers = false;
bool others = false;
int size;
int i;
for (i = 0; '\0' != new[i]; i++) {
if (isdigit (new[i])) {
digits = true;
} else if (isupper (new[i])) {
uppers = true;
} else if (islower (new[i])) {
lowers = true;
} else {
others = true;
}
}
// 至少有3种情况才合格
size = 0;
if (digits) {
size++;
}
if (uppers) {
size++;
}
if (lowers) {
size++;
}
if (others) {
size++;
}
return (size < 3); // return true is password too simple
/*
* The scam is this - a password of only one character type
* must be 8 letters long. Two types, 7, and so on.
*/
/*
size = 9;
if (digits) {
size--;
}
if (uppers) {
size--;
}
if (lowers) {
size--;
}
if (others) {
size--;
}
if (size <= i) {
return false;
}
*/
// return true;
}