人大金仓数据库KingbaseES 弱口令扫描经验分享

shared_preload_libraries = 'security_utils'

\c - system

create extension security_utils;

show security_utils.weak_pwd_check_enable;

security_utils.weak_pwd_check_enable

------------------------------------

off

(1 行记录)

alter system set security_utils.weak_pwd_check_enable = on;

select sys_reload_conf();

sys_reload_conf

-----------------

t

(1 行记录)

show security_utils.weak_pwd_check_enable;

security_utils.weak_pwd_check_enable

------------------------------------

on

(1 行记录)

\c - system

set weak password '123qwe';--成功

set weak password '123qwe','1234asdf';--失败，重复弱口令报错

错误: weak passwd dic "123qwe" already exists

set weak password if not exists '123qwe','1234asdf';--成功，忽略已存在的弱口令

--查看弱口令配置

select * from security_utils.weak_pwd_dic;

创建新用户 u1，使用弱口令作为口令：

\c - system

create user u1 with password '123qwe';--失败，口令不符合弱口令检查

错误: password is too weak!

create user u1 with password '123qwer';--成功

alter user u1 with password '123qwe';

错误: password is too weak!--失败，口令不符合弱口令检查

数据库管理员进行弱口令扫描

\c - system

--将 u1 用户的口令设置为弱口令字典

set weak password '123qwe';

--进行弱口令扫描

select * from security_utils.weak_passwd_scan_result;

username | weak_passwd

----------+-------------

u1 | 123qwer

(1 row)

数据库管理员删除弱口令配置

\c - system

--查看现有弱口令配置

select * from security_utils.weak_pwd_dic;

weak_passwd | created_time

-------------+-------------------------------

123qwe | 2022-08-01 15:11:21.102412+08

1234asdf | 2022-08-01 15:12:52.640116+08

123qwer | 2022-08-01 15:22:12.404342+08

(3 rows)

--删除弱口令配置

remove weak password '123qwe';--成功

remove weak password '123qwe','1234asdf','123qwer';--失败，不存在的弱口令报错

错误: weak passwd dic "123qwe" does not exists

remove weak password if exists '123qwe','1234asdf','123qwer';--成功，忽略不存在的弱口令

--查看弱口令字典

select * from security_utils.weak_pwd_dic;

weak_passwd | created_time