Article title: in-depth analysis of the application of PAM in password protection. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
PAM is an implementation of the pluggable authentication modules system, which was initially developed by sun. it was quickly accepted by the linux community and developed more modules. The goal is to provide a set of function libraries that can be used to authenticate user identities, thus separating authentication from application development. Below are some simple examples of PAM in password protection.
Use pam-tally.so
The pam-tally.so is a PAM pattern that is used to monitor the number of user login failures and reflect when the value exceeds a specific value. For example, after a user fails to log on three times, the user's account will be locked for a period of time, or be permanently locked (or contact the system administrator ). Add the following lines to/etc/pam. d/login:
Account required/lib/security/pam-tally.so deny = 3 no-magic-root
This line configures the pam-tally.so to lock the user's account after three consecutive login failures. In this way, the attacker will only have three chances to guess the password and then be removed.
Pam-cracklib.so is the PAM version of the cracklib library written by alec muffett, used to check the strength of the password, he first calls the cracklib routine to test whether the password can be cracked. After passing this test, perform the following tests:
. Password Retrieval?
. Is the new password a case-insensitive version of the old password?
. Are new and old passwords very similar?
. Is the password too short?
. Is the new password a shift version of the old password?
To test each new password. You only need to replace the original pam-unix.so module with the following lines in the/etc/pam. d/passwd file;
Password required pam-cracklib.so retry = 3
Password requiredpam-unix.so use-authtok md5
In this way, users are given three opportunities to choose the appropriate strong password. You can also force the password length:
Password required pam-cracklib.so retry = 3 minlength = 10
Password requiredpam-unix.so use-authtok md5
Force MD5 hash some linux releases use DES hash by default, instead of MD5 hash. To force all new passwords to be saved in MD5 hash, simply add md5 to the pam-unix.so line of the/etc/pam. d/passwd file:
Password requiredpam-unix.so use-authtok md5
The following perl code can be used to generate a strong password:
#! /Usr/bin/perl-w
# Passwd-generator.pl
Use strict;
My @ chars = (33 .. 91, 93 .. 126 );
My $ num-chars = @ chars;
My $ length;
My $ punt = '! "# $ % & '() * +,-./:; <=>? @ [\] ^ {| }~ ';
Print "enter number of characters in your passwd :"
Chmop ($ length = );
Die "length must be greater than 6! "If $ length <= 5;
While (1 ){
My $ password = '';
Foreach (1 .. Slength ){
Spassword. = chr (Schars [int (rant (Snum-chars)]);
}
If ($ passwd = ~ /[A-z]/and $ passwd = ~ /[A-Z]/and
$ Passwd = ~ /[0-9]/and $ passwd = ~ /[$ Punt]/{
Print Spassword, "\ n ";
Exit;
}
}
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.