passwordcheck通过钩子check_password_hook在创建用户或修改密码时对密码复杂度进行检查,passwordcheck不仅检查密码的长度、字符组成、是否包含用户名等,还可以使用第三方库pam_cracklib对密码进行弱口令检查。
编译
已centos7为例
1、安装开发包:sudo yum install -y cracklib-devel cracklib-dicts cracklib
2、下载字典文件:cracklib-words-20080507.gz
3、生成字典文件:
[root@localhost cracklib-dict]# ls
cracklib-words-20080507.gz
[root@localhost cracklib-dict]# gunzip cracklib-words-20080507.gz
[root@localhost cracklib-dict]# ls
cracklib-words-20080507
[root@localhost cracklib-dict]# create-cracklib-dict -o ./cracklib-dict ./cracklib-words-20080507
1671686 1671686
[root@localhost cracklib-dict]# ls
cracklib-dict.hwm cracklib-dict.pwd cracklib-dict.pwi cracklib-words-20080507
[root@localhost cracklib-dict]#
4、修改Makefile文件:
[postgres@localhost postgresql-14.7]$ cd contrib/passwordcheck/
[postgres@localhost passwordcheck]$ vim Makefile
# contrib/passwordcheck/Makefile
MODULE_big = passwordcheck
EXTENSION = passwordcheck
OBJS = \
$(WIN32RES) \
passwordcheck.o
PGFILEDESC = "passwordcheck - strengthen user password checks"
# uncomment the following two lines to enable cracklib support
PG_CPPFLAGS = -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/opt/cracklib-words/cracklib-dict"'
SHLIB_LINK = -lcrack
DATA = passwordcheck--1.0.sql
REGRESS = passwordcheck
ifdef USE_PGXS
PG_CONFIG = pg_config
PGXS := $(shell $(PG_CONFIG) --pgxs)
include $(PGXS)
else
subdir = contrib/passwordcheck
top_builddir = ../..
include $(top_builddir)/src/Makefile.global
include $(top_srcdir)/contrib/contrib-global.mk
endif
1)新增一行EXTENSION = passwordcheck,增加这一行将会提示找不到文件passwordcheck.control,可以手动创建:
# passwordcheck extension
comment = 'passwordcheck'
default_version = '1.0'
module_pathname = '$libdir/passwordcheck'
relocatable = true
2)新增一行DATA = passwordcheck--1.0.sql,增加这一行安装时将会提示缺少文件passwordcheck--1.0.sql,这个可以手动创建,内容为空就可以。
3)关键是取消注释下面两行,并将CRACKLIB_DICTPATH的值设置为上面第3步生成字典文件的路径,文件名称为cracklib-dict不可以带后缀,因为这个文件名对应着三个文件。
PG_CPPFLAGS = -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/opt/cracklib-words/cracklib-dict"'
SHLIB_LINK = -lcrack
5、make;make install
6、确认passwordcheck.so已使用pam_cracklib:
[postgres@localhost passwordcheck]$ ldd ./passwordcheck.so
linux-vdso.so.1 => (0x00007fff42d9a000)
libcrack.so.2 => /lib64/libcrack.so.2 (0x00007fe76fe6f000)
libc.so.6 => /lib64/libc.so.6 (0x00007fe76faa1000)
libz.so.1 => /lib64/libz.so.1 (0x00007fe76f88b000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe77027d000)
配置
编辑配置文件vim ../data/postgresql.conf,修改如下:
shared_preload_libraries = 'passwordcheck'
测试
postgres=# alter user user1 password '123';
ERROR: password is too short
postgres=# alter user user1 password '123456789';
ERROR: password must contain both letters and nonletters
postgres=# alter user user1 password 'Hello123456789';
ALTER ROLE
postgres=# alter user user1 password 'Hello123456';
ALTER ROLE
postgres=# alter user user1 password 'He123456';
ERROR: password is easily cracked
postgres=# alter user user1 password 'He123456789';
ERROR: password is easily cracked
postgres=# alter user user1 password 'He@123456789';
ERROR: password is easily cracked
postgres=# alter user user1 password 'Hello@123456';
ALTER ROLE
postgres=#
上面的错误提示:password is easily cracked即为pam_cracklib检查不通过: