我目前正在尝试使用pam_cracklib根据我的debug.log正确失败但是即使它在我的PAM配置文件中设置为密码必需条目,它仍然会进入下一个允许更改密码的pam_unix模块.为什么允许更改密码?
我正在通过sudo执行登录驱动程序应用程序,这是我知道如何进行身份验证的唯一方法.
这是我的PAM配置文件(名为/etc/pam.d/validate):
auth required pam_env.so auth required pam_tally.so onerr=fail deny=3 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
我使用户密码无效,强制他们更改密码:
#chage -d 0< user>
当我使用sudo运行自定义应用程序时,我的/var/log/debug.log会生成以下内容.
pam_unix(validate:account): expired password for user mike (root enforced) pam_cracklib(validate:chauthtok): bad password: it is WAY too short pam_unix(validate:chauthtok): password changed for mike
这是因为sudo以root身份运行您的命令.
如果你检查man pam_cracklib,你会看到以下内容
enforce_for_root
The module will return error on Failed check also if the user
changing the password is root. This option is off by default which
means that just the message about the Failed check is printed but
root can change the password anyway. Note that root is not asked
for an old password so the checks that compare the old and new
password are not performed.
所以,你需要做的是改变你的pam_cracklib.soline来说
password requisite pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
看了pam_cracklib.so源后,它在第804行执行了以下操作(无论如何在Fedora 20上)
if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
因此,它会检查调用方的实际UID,并根据实际UID是否为0来强制执行更改.
因此,您应该只需设置二进制文件并确保root拥有它,然后就可以更改密码并强制执行cracklib决策. setuid’ing你的二进制文件只将有效uid设置为0,而不是真实的.
