关于从 php 访问影子密码文件的安全问题
我在 php 中编写了这个函数来检查 Linux 服务器上的帐户的用户/密码。它工作正常,但我有点担心安全性。
/* Need to add www-data to group shadow (and restart apache)
$ sudo adduser www-data shadow
$ sudo /etc/init.d/apache2 restart
Needs whois to be installed to run mkpasswd
$ sudo apt-get install whois
Assumes that sha-512 is used in shadow file
*/
function authenticate($user, $pass){
// run shell command to output shadow file, and extract line for $user
// then split the shadow line by $ or : to get component parts
// store in $shad as array
$shad = preg_split("/[$:]/",`cat /etc/shadow | grep "^$user\:"`);
// use mkpasswd command to generate shadow line passing $pass and $shad[3] (salt)
// split the result into component parts and store in array $mkps
$mkps = preg_split("/[$:]/",trim(`mkpasswd -m sha-512 $pass $shad[3]`));
// compare the shadow file hashed password with generated hashed password and return
return ($shad[4] == $mkps[3]);
}
// usage...
if(authenticate('myUsername','myPassword')){
// logged in
} else {
// not valid user
}
在内网专用服务器上,在组影子中添加www-data是否存在很大的安全风险? (我意识到在共享托管服务器上,黑客有机会使用盐值来破解其他用户的密码)
我使用的方法是否存在其他安全问题?
有什么建议可以让它更可靠吗?
I wrote this function in php to check user/pass against account on linux server. It works fine, but I am concerned a little about security.
/* Need to add www-data to group shadow (and restart apache)
$ sudo adduser www-data shadow
$ sudo /etc/init.d/apache2 restart
Needs whois to be installed to run mkpasswd
$ sudo apt-get install whois
Assumes that sha-512 is used in shadow file
*/
function authenticate($user, $pass){
// run shell command to output shadow file, and extract line for $user
// then split the shadow line by $ or : to get component parts
// store in $shad as array
$shad = preg_split("/[$:]/",`cat /etc/shadow | grep "^$user\:"`);
// use mkpasswd command to generate shadow line passing $pass and $shad[3] (salt)
// split the result into component parts and store in array $mkps
$mkps = preg_split("/[$:]/",trim(`mkpasswd -m sha-512 $pass $shad[3]`));
// compare the shadow file hashed password with generated hashed password and return
return ($shad[4] == $mkps[3]);
}
// usage...
if(authenticate('myUsername','myPassword')){
// logged in
} else {
// not valid user
}
Does adding www-data to the group shadow have a great security risk on a dedicated server on internal network? (I realise that on shared hosting server it could allow opportunity for hackers to use salt values to crack other user's passwords)
Are there any other security concerns with the method I am using?
Any suggestions to make it more reliable?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不太熟悉影子组的工作原理,但让 PHP 访问它听起来确实很危险 - 一个
include调用损坏的 PHP 脚本可能会让攻击者获取/etc/ 的内容阴影。虽然这并不等于获得 root 访问权限,但将加密密码公开仍然是令人讨厌的。如果没有可以验证用户身份的本机 Unix/Linux 命令
你可以有选择地运行,我认为你的想法
听起来好多了,因为它不需要开放对任何更高级别资源的访问。您可能只需要设置某种速率限制,以便攻击者无法通过对本地用户帐户进行数千次失败的登录尝试来禁用它们。
I'm not deeply familiar with how the shadow group works but giving PHP access to it sounds really dangerous - one PHP script with a broken
includecall could get an attacker the contents of/etc/shadow. While that's not tantamount to gaining root access, having the encrypted passwords in the open is still nasty, of course.If there is no native Unix/Linux command that can authenticate a user
that you could run selectively, I think your idea
sounds much, much better, as it doesn't necessitate opening access to any higher-level resources. You may just have to set up some kind of rate limiting so an attacker can't disable local user accounts by doing thousands of failed login attempts on them.