devbox
在线问答5
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

PostgreSQL password security

作者:在线问答5 | 2024-08-01 11:34:02

postgresql-password postgresql-postgres-password
数据库密码管理是数据库安全的重要环节之一.
例如简单密码策略应该包含 : 
1. 密码复杂度
2. 密码验证失败延迟
3. 密码更换周期, 以及 重复使用策略
4. 密码验证失败几次后锁定, 以及解锁时间等
5. 设置密码时防止密码被记录到数据库日志,history,~/.psql_history或审计日志中. (也可以使用pwd+user的md5值设置密码, 或者使用提示输入) , 创建用户时使用createuser命令行工具-W选项提示输入密码. 修改用户密码建议使用pg_md5工具生成密码, 在psql中使用ALTER ROLE填入md5值.
6. pg_stat_statements插件中也会记录SQL, 
  1. postgres=# \d pg_stat_statements 
  2.           View "public.pg_stat_statements"
  3.        Column        |       Type       | Modifiers 
  4. ---------------------+------------------+-----------
  5.  userid              | oid              | 
  6.  dbid                | oid              | 
  7.  queryid             | bigint           | 
  8.  query               | text             | 
  9.  calls               | bigint           | 
  10.  total_time          | double precision | 
  11.  rows                | bigint           | 
  12.  shared_blks_hit     | bigint           | 
  13.  shared_blks_read    | bigint           | 
  14.  shared_blks_dirtied | bigint           | 
  15.  shared_blks_written | bigint           | 
  16.  local_blks_hit      | bigint           | 
  17.  local_blks_read     | bigint           | 
  18.  local_blks_dirtied  | bigint           | 
  19.  local_blks_written  | bigint           | 
  20.  temp_blks_read      | bigint           | 
  21.  temp_blks_written   | bigint           | 
  22.  blk_read_time       | double precision | 
  23.  blk_write_time      | double precision |

建议在创建用户,修改用户密码后,调用pg_stat_statements_reset()来清除这里记录的SQL。
或者配置pg_stat_statements.track_utility=off,就不会跟踪记录DDL语句了。

7. pg_stat_statements对应的文件。
 
  1. postgres@digoal-> pwd
  2. /data01/pg_root_1921/pg_stat_tmp
  3. postgres@digoal-> ll
  4. total 28K
  5. -rw------- 1 postgres postgres 2.5K Sep 24 16:00 db_0.stat
  6. -rw------- 1 postgres postgres 9.6K Sep 24 16:00 db_151898.stat
  7. -rw------- 1 postgres postgres  607 Sep 24 16:00 global.stat
  8. -rw------- 1 postgres postgres 6.4K Sep 24 14:48 pgss_query_texts.stat
  9. 停库后记录在这里
  10. postgres@digoal-> cd ../pg_stat

这个也非常不靠谱哦。也是泄露渠道之一。
建议设置参数pg_stat_statements.save=off,但是对于9.4这个版本,它依旧会写文件,只是在关闭和启动时会去清理这个文件,具体可以看代码,9.1的版本是不会写文件的。所以建议加上 pg_stat_statements.track_utility=off。

下面依次来讲解一下在PostgreSQL中如何实现简单的密码策略.
1. 密码复杂度
PostgreSQL提供了一个插件 passwordcheck可以满足简单的密码复杂度测验, 防止使用过短, 或者与包含用户名的密码.
如果需要更复杂的检查, 可以让 passwordcheck使用crack库.
安装过程 : 
安装cracklib以及字典 
# yum install -y cracklib-devel cracklib-dicts cracklib

字典如下(.pwd结尾文件) : 
 
  1. [root@db-172-16-3-221 cracklib]# rpm -ql cracklib-dicts
  2. /usr/lib64/cracklib_dict.hwm
  3. /usr/lib64/cracklib_dict.pwd
  4. /usr/lib64/cracklib_dict.pwi
  5. /usr/sbin/mkdict
  6. /usr/sbin/packer
  7. /usr/share/cracklib
  8. /usr/share/cracklib/cracklib-small.hwm
  9. /usr/share/cracklib/cracklib-small.pwd
  10. /usr/share/cracklib/cracklib-small.pwi
  11. /usr/share/cracklib/pw_dict.hwm
  12. /usr/share/cracklib/pw_dict.pwd
  13. /usr/share/cracklib/pw_dict.pwi

当然, 你也可以使用 create-cracklib-dict 通过word文件自行生成字典.
例如 : 
  1. 下载word文件
  2. http://sourceforge.net/projects/cracklib/files/cracklib-words/2008-05-07/
  3. (可以自行添加word进去)
  4. # cd /opt/soft_bak/
  5. # wget http://downloads.sourceforge.net/project/cracklib/cracklib-words/2008-05-07/cracklib-words-20080507.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fcracklib%2Ffiles%2Fcracklib-words%2F2008-05-07%2F&ts=1412826278&use_mirror=nchc
  6. # tar -zxvf cracklib-words-20080507.gz
  7. # gunzip cracklib-words-20080507.gz
  8. [root@db-172-16-3-221 soft_bak]# less cracklib-words-20080507 
  9. `
  10. `!@#$%^&*()_+
  11. ^
  12. ^%$#@!
  13. ~
  14. ~!@
  15. ~!@#
  16. ~!@#~@!#
  17. 创建字典文件
  18. [root@db-172-16-3-221 soft_bak]# create-cracklib-dict -h
  19. Usage: create-cracklib-dict [options] wordlist ...
  20.  
  21. This script takes one or more word list files as arguments
  22. and converts them into cracklib dictionaries for use
  23. by password checking programs. The results are placed in
  24. the default compiled-in dictionary location.
  25.  
  26. If you wish to store the dictionary in a different location,
  27. use the cracklib-format and cracklib-packer commands directly.
  28.  
  29. Options:
  30.   -o, --output <file>   Alternative output file for cracklib-packer
  31.   -h, --help            This help output
  32.  
  33. Example:
  34. create-cracklib-dict /usr/share/words
  35. [root@db-172-16-3-221 soft_bak]# create-cracklib-dict -o ./cracklib-dict ./cracklib-words-20080507 
  36. skipping line: 1
  37. 1669426 1669425
  38. [root@db-172-16-3-221 soft_bak]# ll cracklib-dict.*
  39. -rw-r--r-- 1 root root    1024 Oct  9 12:00 cracklib-dict.hwm
  40. -rw-r--r-- 1 root root 7472513 Oct  9 12:00 cracklib-dict.pwd
  41. -rw-r--r-- 1 root root  417372 Oct  9 12:00 cracklib-dict.pwi

使用这个密码文件

修改 passwordcheck.c以及Makefile.
 
  1. [root@db-172-16-3-221 cracklib]# cd /opt/soft_bak/postgresql-9.3.5/contrib/passwordcheck/
  2. [root@db-172-16-3-221 passwordcheck]# vi passwordcheck.c
  3. #ifdef USE_CRACKLIB
  4. #include <crack.h>
  5. //  如果是源码安装的cracklib, 可能需要修改如下, 本例不需要修改
  6. //  #include "/opt/cracklib/include/crack.h"
  7. #endif
  8. /* passwords shorter than this will be rejected, 最小密码长度最好改成20或更大 */
  9. #define MIN_PWD_LENGTH 20

修改Makefile, 把注释去掉, 并修改字典文件(不要带.pwd后缀).
 
  1. [root@db-172-16-3-221 passwordcheck]# vi Makefile
  2. # contrib/passwordcheck/Makefile
  3. # uncomment the following two lines to enable cracklib support
  4. PG_CPPFLAGS = -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/usr/share/cracklib/pw_dict"'
  5. # 修改字典文件 /usr/lib/cracklib_dict
  6. SHLIB_LINK = -lcrack


安装模块: 
  1. [root@db-172-16-3-221 passwordcheck]# make clean
  2. rm -f passwordcheck.so   libpasswordcheck.a  libpasswordcheck.pc
  3. rm -f passwordcheck.o
  4. [root@db-172-16-3-221 passwordcheck]# make
  5. gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -DUSE_CRACKLIB '-DCRACKLIB_DICTPATH="/usr/share/cracklib/pw_dict"' -I. -I. -I../../src/include -D_GNU_SOURCE -I/usr/include/libxml2   -c -o passwordcheck.o passwordcheck.c
  6. gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -shared -o passwordcheck.so passwordcheck.o -L../../src/port -L../../src/common -Wl,--as-needed -Wl,-rpath,'/opt/pgsql9.3.5/lib',--enable-new-dtags  -lcrack 
  7. [root@db-172-16-3-221 passwordcheck]# make install
  8. /bin/mkdir -p '/opt/pgsql9.3.5/lib'
  9. /usr/bin/install -c -m 755  passwordcheck.so '/opt/pgsql9.3.5/lib/passwordcheck.so'


加载模块.
 
  1. [root@db-172-16-3-221 passwordcheck]# su - postgres
  2. postgres@db-172-16-3-221-> cd $PGDATA
  3. postgres@db-172-16-3-221-> vi postgresql.conf
  4. shared_preload_libraries = 'passwordcheck'
  5. postgres@db-172-16-3-221-> pg_ctl restart -m fast


修改密码测试 : 
  1. postgres@db-172-16-3-221-> psql
  2. psql (9.3.5)
  3. Type "help" for help.
  4. 可以看到, 不符合密码强度(必须包含大小写, 非字符), 或者在密码文件中的密码都不允许使用.
  5. digoal=# alter role postgres encrypted password 'helloworld123';
  6. ERROR:  password is easily cracked
  7. digoal=# alter role postgres encrypted password 'helloworld';
  8. ERROR:  password must contain both letters and nonletters
  9. digoal=# alter role postgres encrypted password 'hello';
  10. ERROR:  password is too short
  11. digoal=# alter role postgres encrypted password 'postgres';
  12. ERROR:  password must not contain user name
  13. digoal=# alter role postgres encrypted password 'postgresql';
  14. ERROR:  password must not contain user name
  15. digoal=# alter role postgres encrypted password 'abcpostgreHAHAHA';
  16. ERROR:  password must contain both letters and nonletters
  17. digoal=# alter role postgres encrypted password 'a_b_cpostgreHAHAHA';
  18. ERROR:  password is too short
  19. digoal=# alter role postgres encrypted password 'a_b_cpostgreHAHAHAHAHAH';
  20. ALTER ROLE

使用 passwordcheck模块后, 就可以在数据库中强制密码复杂度了.

2. 密码验证失败延迟
这个主要用于防止暴力破解. 验证失败后, 延迟一个时间窗口才能继续验证.
安装 : 
  1. [root@db-172-16-3-221 auth_delay]# cd /opt/soft_bak/postgresql-9.3.5/contrib/auth_delay/
  2. [root@db-172-16-3-221 auth_delay]# gmake clean
  3. rm -f auth_delay.so auth_delay.o
  4. [root@db-172-16-3-221 auth_delay]# gmake
  5. gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -I. -I. -I../../src/include -D_GNU_SOURCE -I/usr/include/libxml2   -c -o auth_delay.o auth_delay.c
  6. gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith -Wdeclaration-after-statement -Wendif-labels -Wmissing-format-attribute -Wformat-security -fno-strict-aliasing -fwrapv -fpic -L../../src/port -L../../src/common -Wl,--as-needed -Wl,-rpath,'/opt/pgsql9.3.5/lib',--enable-new-dtags  -shared -o auth_delay.so auth_delay.o
  7. [root@db-172-16-3-221 auth_delay]# gmake install
  8. /bin/mkdir -p '/opt/pgsql9.3.5/lib'
  9. /usr/bin/install -c -m 755  auth_delay.so '/opt/pgsql9.3.5/lib/'

# 加载模块
 
  1. [root@db-172-16-3-221 auth_delay]# su - postgres
  2. postgres@db-172-16-3-221-> cd $PGDATA
  3. postgres@db-172-16-3-221-> vi postgresql.conf
  4. shared_preload_libraries = 'auth_delay,passwordcheck'
  5. auth_delay.milliseconds = 5000

测试 
  1. postgres@db-172-16-3-221-> pg_ctl restart -m fast
  2. postgres@db-172-16-3-221-> psql -h 172.16.3.221 -U postgres postgres
  3. Password for user postgres: 密码输入错误后, 需要等待5秒返回认证失败. 防止暴力破解密码.
  4. psql: FATAL:  password authentication failed for user "postgres"


3. 密码更换周期, 以及 重复使用策略
密码更换周期通过设置角色的有效期来强制指定, 例如 
  1. digoal=# alter role postgres valid until '2015-01-01';
  2. ALTER ROLE
  3. digoal=# \du
  4.                              List of roles
  5.  Role name |                   Attributes                   | Member of 
  6. -----------+------------------------------------------------+-----------
  7.  postgres  | Superuser, Create role, Create DB, Replication+| {}
  8.            | Password valid until 2015-01-01 00:00:00+08    |

那么2015-01-01后, 使用密码认证将不能登录, 但是如果配置为trust的话, 不需要密码验证还是能登录的.
重复使用策略目前无法简单的实现, 但是可以结合事件触发器来实现, 例如创建用户, 修改用户时, 将用户和密码+user的md5值记录到一个文件中, 下次修改密码时在事件触发器中检索一下是否重复使用了密码.

4. 密码验证失败几次后锁定, 以及解锁时间等
目前PostgreSQL不支持这个安全策略, 目前只能使用auth_delay来延长暴力破解的时间.

5. 设置密码时防止密码被记录到数据库日志,history,或审计日志中. 
这一点是最容易被忽略的, 可能导致密码泄露.
例如 : 
  1. postgres@db-172-16-3-221-> psql
  2. psql (9.3.5)
  3. Type "help" for help.
  4. digoal=# alter role postgres encrypted password 'a_b_cpostgreHAHAHAHAHAH';
  5. ALTER ROLE

这条SQL, 包括密码都可能被记录到2个地方.
1. history 
  1. postgres@db-172-16-3-221-> cd
  2. postgres@db-172-16-3-221-> less .psql_history
  3. alter role postgres encrypted password 'a_b_cpostgreHAHAHAHAHAH';
  4. \q

2. csvlog, (如果开启了DDL或更高级别审计, #log_statement = 'ddl'                 # none, ddl, mod, all).
 
  1. postgres@db-172-16-3-221-> cd $PGDATA/pg_log
  2. 2014-10-09 09:30:53.277 CST,"postgres","digoal",36441,"[local]",5435e54c.8e59,3,"idle",2014-10-09 09:30:52 CST,2/76,0,LOG,00000,"statement: alter role postgres encrypted password 'a_b_cpostgreHAHAHAHAHAH';",,,,,,,,"exec_simple_query, postgres.c:890","psql"

同时还可能被记录到审计工具中, 例如堡垒机.

解决办法 : 
1. 使用pwd+user的md5值设置密码, 
2. 或者 创建用户时使用createuser命令行工具-W选项提示输入密码. 
例如 : 
postgres@db-172-16-3-221-> createuser -D -E -I -l -P -R -s --no-replication -h 127.0.0.1 -p 5432 -U postgres -W newrole
Enter password for new role: 
Enter it again: 
Password: 
我们看到日志中记录的密码已经是加密后的密码.
2014-10-09 09:36:31.491 CST,"postgres","postgres",36499,"127.0.0.1:10919",5435e69f.8e93,3,"idle",2014-10-09 09:36:31 CST,2/100,0,LOG,00000,"statement: CREATE ROLE newrole ENCRYPTED PASSWORD 'md5e8541c3402dc262583fc1b0980b013df' SUPERUSER CREATEDB CREATEROLE NOINHERIT LOGIN NOREPLICATION;
对应的代码 : 
src/bin/scripts/createuser.c 
  1.                 if (encrypted != TRI_NO)
  2.                 {
  3.                         char       *encrypted_password;
  4.  
  5.                         encrypted_password = PQencryptPassword(newpassword,
  6.                                                                                                    newuser);
  7.                         if (!encrypted_password)
  8.                         {
  9.                                 fprintf(stderr, _("Password encryption failed.\n"));
  10.                                 exit(1);
  11.                         }
  12.                         appendStringLiteralConn(&sql, encrypted_password, conn);
  13.                         PQfreemem(encrypted_password);
  14.                 }

src/interfaces/libpq/fe-auth.c
 
  1. /*
  2.  * PQencryptPassword -- exported routine to encrypt a password
  3.  *
  4.  * This is intended to be used by client applications that wish to send
  5.  * commands like ALTER USER joe PASSWORD 'pwd'.  The password need not
  6.  * be sent in cleartext if it is encrypted on the client side.  This is
  7.  * good because it ensures the cleartext password won't end up in logs,
  8.  * pg_stat displays, etc.  We export the function so that clients won't
  9.  * be dependent on low-level details like whether the enceyption is MD5
  10.  * or something else.
  11.  *
  12.  * Arguments are the cleartext password, and the SQL name of the user it
  13.  * is for.
  14.  *
  15.  * Return value is a malloc'd string, or NULL if out-of-memory.  The client
  16.  * may assume the string doesn't contain any special characters that would
  17.  * require escaping.
  18.  */
  19. char *
  20. PQencryptPassword(const char *passwd, const char *user)
  21. {
  22.         char       *crypt_pwd;
  23.  
  24.         crypt_pwd = malloc(MD5_PASSWD_LEN + 1);
  25.         if (!crypt_pwd)
  26.                 return NULL;
  27.  
  28.         if (!pg_md5_encrypt(passwd, user, strlen(user), crypt_pwd))
  29.         {
  30.                 free(crypt_pwd);
  31.                 return NULL;
  32.         }
  33.  
  34.         return crypt_pwd;
  35. }

src/backend/libpq/md5.c
 
  1. /*
  2.  * Computes MD5 checksum of "passwd" (a null-terminated string) followed
  3.  * by "salt" (which need not be null-terminated).
  4.  *
  5.  * Output format is "md5" followed by a 32-hex-digit MD5 checksum.
  6.  * Hence, the output buffer "buf" must be at least 36 bytes long.
  7.  *
  8.  * Returns TRUE if okay, FALSE on error (out of memory).
  9.  */
  10. bool
  11. pg_md5_encrypt(const char *passwd, const char *salt, size_t salt_len,
  12.                            char *buf)
  13. {
  14.         size_t          passwd_len = strlen(passwd);
  15.  
  16.         /* +1 here is just to avoid risk of unportable malloc(0) */
  17.         char       *crypt_buf = malloc(passwd_len + salt_len + 1);
  18.         bool            ret;
  19.  
  20.         if (!crypt_buf)
  21.                 return false;
  22.  
  23.         /*
  24.          * Place salt at the end because it may be known by users trying to crack
  25.          * the MD5 output.
  26.          */
  27.         memcpy(crypt_buf, passwd, passwd_len);
  28.         memcpy(crypt_buf + passwd_len, salt, salt_len);
  29.  
  30.         strcpy(buf, "md5");
  31.         ret = pg_md5_hash(crypt_buf, passwd_len + salt_len, buf + 3);
  32.  
  33.         free(crypt_buf);
  34.  
  35.         return ret;
  36. }

3. 修改用户密码建议使用pg_md5工具生成密码, 在psql中使用ALTER ROLE填入md5值. 
与上面类似, pg_md5是pgpool提供的一个工具, 实际上就是调用上面的函数.

如果需要将认证模块剥离, 可以选择使用域认证或其他第三方认证方法, 这样的话, 密码策略就交由第三方管理了.


[其他]
1. PostgreSQL在密码安全管理这块还需要加强.
例如应该有密码修改的命令行工具.
应该有密码重复使用的策略模块.

[参考]
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/在线问答5/article/detail/913856
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号