pam_cracklib正确报告错误密码,但pam_unix模块STILL更改密码

前端之家收集整理的这篇文章主要介绍了pam_cracklib正确报告错误密码,但pam_unix模块STILL更改密码前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我目前正在尝试使用pam_cracklib根据我的debug.log正确失败但是即使它在我的PAM配置文件中设置为密码必需条目,它仍然会进入下一个允许更改密码的pam_unix模块.为什么允许更改密码?

我正在通过sudo执行登录驱动程序应用程序,这是我知道如何进行身份验证的唯一方法.

这是我的PAM配置文件(名为/etc/pam.d/validate):

auth  required    pam_env.so
auth  required    pam_tally.so onerr=fail deny=3
auth  sufficient  pam_unix.so nullok try_first_pass 
auth  requisite   pam_succeed_if.so uid >= 500 quiet
auth  required    pam_deny.so

account  required    pam_unix.so
account  required    pam_tally.so
account  sufficient  pam_succeed_if.so uid < 500 quiet
account  required    pam_permit.so

password requisite   pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient  pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required    pam_deny.so

session  optional    pam_keyinit.so revoke
session  required    pam_limits.so
session  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session  required    pam_unix.so

我使用户密码无效,强制他们更改密码:

#chage -d 0< user>

当我使用sudo运行自定义应用程序时,我的/var/log/debug.log会生成以下内容.

pam_unix(validate:account): expired password for user mike (root enforced)
pam_cracklib(validate:chauthtok): bad password: it is WAY too short
pam_unix(validate:chauthtok): password changed for mike
这是因为sudo以root身份运行您的命令.

如果你检查man pam_cracklib,你会看到以下内容

enforce_for_root
       The module will return error on Failed check also if the user
       changing the password is root. This option is off by default which
       means that just the message about the Failed check is printed but
       root can change the password anyway. Note that root is not asked
       for an old password so the checks that compare the old and new
       password are not performed.

所以,你需要做的是改变你的pam_cracklib.soline来说

password requisite   pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

看了pam_cracklib.so源后,它在第804行执行了以下操作(无论如何在Fedora 20上)

if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))

因此,它会检查调用方的实际UID,并根据实际UID是否为0来强制执行更改.

因此,您应该只需设置二进制文件并确保root拥有它,然后就可以更改密码并强制执行cracklib决策. setuid’ing你的二进制文件只将有效uid设置为0,而不是真实的.

原文链接:https://www.f2er.com/bash/385526.html

猜你在找的Bash相关文章