字典与密码复杂性绕过

密码复杂性校验和字典绕过

• 配置文件在/etc/security/pwquality.conf中，可修改

sudo nano /etc/security/pwquality.conf

配置文件翻译

如下:

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 4
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Whether to check for the words from the cracklib dictionary.
# The check is enabled if the value is not 0.
# dictcheck = 1
#
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
# usercheck = 1
#
# Length of substrings from the username to check for in the password
# The check is enabled if the value is greater than 0 and usercheck is enabled.
# usersubstr = 0
#
# Whether the check is enforced by the PAM module and possibly other
# applications.
# The new password is rejected if it fails the check and the value is not 0.
# enforcing = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
#
# Prompt user at most N times before returning with error. The default is 1.
# retry = 3
#
# Enforces pwquality checks on the root user password.
# Enabled if the option is present.
# enforce_for_root
#
# Skip testing the password quality for users that are not present in the
# /etc/passwd file.
# Enabled if the option is present.
# local_users_only

############(中文)###################

# 系统范围密码质量限制配置
# 默认设置:
#
# 新密码中必须不包含的字符数，与旧密码相比。
# difok = 1
#
# 新密码的最小可接受长度（如果未禁用积分，默认加一）。 
# （请参见 pam_cracklib 手册。）
# 不能设置低于 6。
# minlen = 8 
#
# 新密码中包含数字的最大积分。如果小于0，表示新密码中数字的最小数量。
# dcredit = 0
#
# 新密码中包含大写字母的最大积分。如果小于0，表示新密码中大写字母的最小数量。
# ucredit = 0
#
# 新密码中包含小写字母的最大积分。如果小于0，表示新密码中小写字母的最小数量。
# lcredit = 0
#
# 新密码中包含其他字符的最大积分。如果小于0，表示新密码中其他字符的最小数量。
# ocredit = 0
#
# 新密码所需字符类别的最小数量（数字、大写、小写、其他）。
# minclass = 0
#
# 新密码中允许的最大连续相同字符数。
# 如果值为0，则禁用检查。
# maxrepeat = 0
#
# 新密码中允许的最大连续同类字符数。
# 如果值为0，则禁用检查。
# maxclassrepeat = 0
#
# 是否检查用户的 passwd 条目 GECOS 字符串中的单词。
# 如果值不为0，则启用检查。
# gecoscheck = 0
#
# 是否检查密码是否包含来自 cracklib 字典的单词。
# 如果值不为0，则启用检查。
# dictcheck = 1
#
# 是否检查密码中是否包含用户名的某种形式。
# 如果值不为0，则启用检查。
# usercheck = 1
#
# 从用户名检查密码中子字符串的长度
# 如果值大于0并且启用了 usercheck，则启用检查。
# usersubstr = 0
#
# 是否通过 PAM 模块及其他应用程序强制执行检查。
# 如果新密码未通过检查且值不为0，则拒绝新密码。
# enforcing = 1
#
# cracklib 字典的路径。默认使用 cracklib 的默认路径。
# dictpath =
#
# 在返回错误之前，最多提示用户 N 次。默认值为 1。
# retry = 3
#
# 强制执行对 root 用户密码的 pwquality 检查。
# 如果选项存在，则启用。
# enforce_for_root
#
# 跳过对 /etc/passwd 文件中不存在用户的密码质量测试。
# 如果选项存在，则启用。
# local_users_only

使用system-auth覆盖设置

• 可靠/etc/pam.d/system-auth覆盖设置（方便）

执行

sudo nano /etc/pam.d/system-auth

将显示以下设置

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

修改

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

添加内容 dictpath= minclass=0 minlen=4

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dictpath= minclass=0 minlen=4

保存并退出，即可修改账户为简单的密码

依旧提醒

修改密码依旧会有提示，忽略即可

[ycxom@localhost home]$ sudo passwd Homo
[sudo] ycxom 的密码：
更改用户 Homo 的密码 。
新的密码：
无效的密码： 密码未通过字典检查 - 不包括足够不同的字符
重新输入新的密码：
passwd：所有的身份验证令牌已经成功更新。