Background technology
Current, what the password setting of the root user of virtual machine (root user of Linux is root user, and the root user of Windows is Administrator user) adopted is static method.So-called static method is meant; When new VME operating system is installed; Static state is provided with the password of root user, in each login afterwards, uses the static password that is provided with to login; And, need manually change password (mode that password is set with current physical machine is similar) if the user changes password.
This shows that there is following problem in existing virtual machine static password method to set up:
1) security and availability oppose fully
On the one hand, a lot of users like being provided with the password that is easy to remember, and promptly the user adopts some strategies to make its password be easy to memory when the structure password usually, and strategy commonly used has following several kinds:
(1) adopts some special English word or phonetics;
(2) adopt some numerals relevant with the individual subscriber data, like user's birthday, household's birthday, various passport NO.s etc.;
(3) utilize keyboard layout that password is set, password is set as adopting the key position that links to each other on the keyboard, like " asdfgh ", " qwe123 ", " 123456 " etc.
More than the problem of several kinds of cipher set-up methods be that security is not enough, be easy to crack; Crack method for strategy (1) and strategy (3) is following: adopt Brute Force; The hacker generally adopts the password dictionary to crack; Promptly collect password and the English dictionary that the user uses always on the network and generate the password dictionary, general dictionary is the M magnitude at least, has included various common passwords; If the user wants to set the good again password of note security, possibility is very low; Crack method for strategy (2) is following: collect user's personal information, each one data cracks according to it then, in current a networked society, collects someone personal information, has become very easy.
On the other hand, the user also can be provided with very complex password, as: a sentence of overlength, or the random number of overlength, or the combination of various symbol (numeral, letter or punctuation mark etc.).The security of these complex password is generally all than higher, but shortcoming also clearly, and promptly availability is very poor, and the user is difficult to memory.If adopt other media to preserve, this has related to the problem of medium physical security again.
2) problem of cryptographic validity
The user mostly likes using a password for a long time, and the security of password is constantly to die down along with the growth of service time.Security strategy is preferably, and the user should revise password termly, resets once as every month, resets every day such as a password etc.The term of validity of password is short more, and security is high more, yet is provided with for static password, and the password of resetting too continually is very poor to the user experience that the user brings.
Summary of the invention
For solving the problems of the technologies described above, fundamental purpose of the present invention is to improve the security of password, solves the problem that password is easy to crack, and the invention human desires is applied among the virtual machine dynamic password to reach this purpose;
Next provides a kind of method of periodic modification password;
And notify to the user so that a kind of method of avoiding remembering complex password to be provided by the username and password that system is generated at random.
Based on above-mentioned target, the present invention proposes a kind of virtual machine dynamic password method to set up, with the not enough problem of security that solves the static password method to set up, guaranteed the availability of system simultaneously.
A kind of virtual machine dynamic password provided by the invention is provided with and implementation method, may further comprise the steps:
1) the dynamic password generation strategy is set;
In virtual machine, generate dynamic password, and be set to land password;
2) the dynamic password notification strategy is set;
Realization is notified dynamic password automatically and is given host or user.
By the setting of above-mentioned strategy, realized on virtual machine, using dynamic password to replace the purpose of the password of existing static state, the security that has improved password has solved the problem that password is easy to crack.
In order further to improve effect, the generation strategy of the password in the step 1) can comprise use hashing algorithm dynamic random password generation strategy.
Wherein:
Hashing algorithm dynamic random password generation strategy can may further comprise the steps:
(1) self-defining character string a is set;
(2) get Date, save as character string b;
(3) generate random number, save as character string c;
(4) connection string abc is a character string d;
(5) use the sha1 algorithm that character string d is picked and want, obtain character string e;
(6) the new dynamic password E of back some conducts of intercepting e;
(7) for root user new dynamic password E is set.
The dynamic password notification strategy being set can may further comprise the steps step 2 in addition):
(1) username and password E is outputed in the serial ports;
(2) serial ports that in host, obtains virtual machine is exported;
(3) in host, resolve username and password E;
(4) host sends to the user with username and password.
Being provided with step 2) also can adopt mail or way of short messages that dynamic password is sent to the user in the dynamic password notification strategy.
Comprise that also step 3) is provided with virtual machine dynamic password setting program and automatically performs, is provided with virtual machine dynamic password setting program periodicity execution in step and/or revise the generation of virtual machine dynamic password, setting and notification strategy as required and the step in the cycle that periodicity is carried out.
With respect to the static password method to set up, dynamic password method to set up of the present invention has following characteristics:
1) the present invention can (perhaps upgrade by user's requirement) when virtual machine activation and automatically reset the virtual machine password, and after starting (renewal) completion, notifies the user new password;
2) password that dynamically arranges of the present invention is dynamic and can be the password that generates at random, has not regulation, and is difficult to crack, and has higher security;
3) the motor-driven attitude cryptoperiod property of virtual support of the present invention is reset function, has solved the cryptographic validity problem, has further improved cipher safety;
4) the present invention comprises the automatic informing function of password, and the user need not remember dynamic generation ground random cipher, has improved user experience.
The present invention is particularly suitable for guaranteeing the security of the virtual machine password under following two kinds of application scenarioss:
1) enterprise uses virtual machine as inside service to be provided, this should scene under each run cycle of virtual machine all very long, maybe be for reaching the several months or the whole year, static password is provided with and can constantly reduces along with the prolongation security of service time; The periodicity dynamic password Provisioning Policy that the present invention adopts can head it off, thereby improves the virtual machine cipher safety under this kind application scenarios;
2) cloud computing application scenarios, enterprise provides virtual machine to the user, and with the service of run user, under this application scenarios, the password of virtual machine possibly be to be provided with voluntarily by the user, and the user seldom can follow the cryptosecurity Provisioning Policy, thereby unsafe password is set; The dynamic password method to set up that the present invention adopts can be provided with safe password under the prerequisite that does not influence availability, thereby improves the virtual machine cipher safety under this kind application scenarios.
The present invention is under the prerequisite that has guaranteed availability; Can improve the security of virtual machine
password to a great extent, have higher utility and commercial value.
Embodiment
For letting above-mentioned and other purposes, characteristic and the advantage of the present invention can be more obviously understandable, hereinafter is special lifts the preferred embodiments of the present invention, and conjunction with figs., elaborates as follows:
In order to solve the said defective of static password, the inventor intends and adopts dynamic password to solve these technical matterss, though the dynamic password generation technique has had application at other field.Wherein for physical machine (physical machine operating system) field related application is just arranged with domain-oriented of the present invention is immediate; Yet; The virtual machine applied environment is with respect to the physical machine applied environment; Have some new characteristics, the dynamic password method to set up that makes physical machine adopt is not suitable for virtual machine and uses.
Wherein the key distinction is:
1, generally all be that physics is inaccessible between user and the virtual machine
Being usually used in the equipment such as smart card that being used in the dynamic password method to set up in the physical machine preserve (obtaining) dynamic password need be connected on the physical machine and could use; And in virtual machine environment; Virtual machine is non-directly can be reached; Mode through preservations such as smart card (obtaining) password on this physical machine is not suitable for virtual machine environment, need set up new password notification strategy and obtain password to make things convenient for the user.
2, virtual machine generally is to start through the good virtual machine image of prior establishment
The mounting means of virtual machine is different with the mounting means of physical machine.When physical machine was installed, its installation interface was provided by installation procedure, all can provide static password that the interface is set when mounted, and the user can be provided with the password of oneself; The installation of virtual machine is used through direct startup install image copy; Wherein install image (in corporate environment, have a large amount of users and use same install image) is an already installed system; Be provided with initial password (the virtual machine initial password of a large number of users is identical); If the user does not revise initial password, then its cipher safety can not guarantee.Therefore virtual machine image need adopt the dynamic password method to set up, and will be set to the boot-strap reset password, to guarantee the security of user cipher.
3, with respect to physical machine, virtual machine is generally all monopolized
When the user uses the physical machine resource, generally be that a plurality of users of physical machine share to use, the power user on the physical machine has higher authority, can help the user to be provided with and safeguards the dynamic password Provisioning Policy.When the user uses resources of virtual machine, generally be on the physical machine many virtual machines to be arranged, every virtual machine is all monopolized by certain user; And also isolate between virtual machine and the physical machine; Therefore the neither one power user comes for virtual machine user is provided with and the maintenance safe strategy, and simultaneously, not all user is the domain expert; Therefore need be prone to land used virtual machine dynamic password method to set up for each virtual machine is provided with a safety, guarantee the security of user cipher.
The virtual machine dynamic password method to set up that the present invention proposes has solved the distinctive problem of some in the virtual machine environment.
In present embodiment; With rhe15.4 is host; And use its kvm that carries to be the Virtual Machine Manager program; The target virtual machine that ubuntu9.04 and windows2003 operating system are implemented as the present invention program can be installed respectively; And on ubuntu9.04 and windows2003, realized the setting of the dynamic password of virtual machine of the present invention respectively, it specifically comprises the starting up and the periodically realization of Provisioning Policy of dynamic password of the dynamic generation strategy of virtual machine password, password notification strategy and the dynamic generation strategy notification strategy of password.Wherein, The dynamic generation strategy of password is preferably and adopts dynamic random password generation strategy; Described dynamic random password generation strategy is meant in the generative process of random number having been introduced a dynamic password; In the generative process of password, also can introduce simultaneously the randomness that hashing algorithm further improves password, thus the security that further improves password.
The execution flow process of the virtual machine dynamic password method to set up that the present invention proposes in present embodiment is following:
1) virtual machine (step 10) is installed
In present embodiment be utilize host with the KVM ubuntu9.04 and the windows2003 that install.Wherein, it is the image file that adopts the ready-made ubuntu9.04 of eucalyptus that ubuntu9.04 is installed, and comprises a kernel, a ramdisk, a file system reflection.In this ready-made mirror image, ssh server and perl have been installed.
2) dynamic password generation strategy (step 11) is set
In this strategy, mainly be to be provided with to be implemented in the dynamic password that generates a safety in the virtual machine, and be set to land password.
When design dynamic password generation strategy, generally need take all factors into consideration the security of dynamic password and the problem of ease for use.Because dynamic password does not need the user to remember, therefore can consider the problem of security, and ease of use issues can lessly be considered morely.Dynamic password can not be too short, and too short then security can not guarantee, generally wants at least more than 8; Simultaneously can not be oversize, oversize then can the input to the user make troubles, and surpasses 16 generally speaking, and promptly dynamic password is preferably between the 8-16 position.The character set of dynamic password can not be too simple, as can not being numeral, or lowercase just, character set is " numeral+a letter (capital and small letter)+punctuation mark (#$$%......&* () preferably! ) etc. ".Dynamic password can not be regular, promptly can not have the specific meaning, is preferably at random to generate.
In order to improve effect; In present embodiment, the present invention promptly adopts dynamic random password generation strategy in the generative process of random number having been introduced dynamic password; In the generative process of password, also introduced simultaneously the randomness that hashing algorithm further improves password, thus the security that improves password.
When realizing the dynamic password generation strategy, can adopt various programming languages, like C, Java, shell script, perl, python etc.But in order to guarantee that the dynamic password generation strategy is difficult to be cracked, C is used in suggestion, and after compiling is accomplished, and use (strip order) to eliminate the symbolic information of executable file.
Referring to Fig. 2, the dynamic password generation strategy of method of the present invention in present embodiment can specifically may further comprise the steps:
(1) self-defining character string a is set, as, Cloud Manager (step 111);
(2) get Date, save as character string b (step 112);
(3) generate random number, save as character string c (step 113);
(4) connection string abc is a character string d (step 114);
(5) use the sha1 algorithm that character string d is picked and want, obtain character string e (step 115);
(6) the new dynamic password E (step 116) of back some conducts of intercepting e elects 12 (the 8-12 position is adopted in general recommendations) as in present embodiment;
(7) for root user new dynamic password E (step 117) is set.
More than, can also adopt other dynamic cipher generating method for adopting the dynamic random password generation strategy of hashing algorithm.
Notify problem because dynamic password is distinguished to be how to solve with respect to the maximum of static password with password,, thereby be necessary to design a dynamic password notification strategy safely and effectively in order to ensure landing smoothly of user to the user.
3) dynamic password notification strategy (step 12) is set
When design dynamic password notification strategy, the problem that at first will solve is how dynamic password to be notified to host or user.Can take following method when specifically being applied to virtual machine:, can dynamic password be sent to the user through lettergram mode if virtual machine can accesses network.If virtual machine can not accesses network; Then can password be printed to serial ports, output to host, the security of the password security of host that just places one's entire reliance upon like this; Certainly be not limited to this two kinds of methods, those skilled in the art can also adopt other means to notify.
If adopt mail or way of short messages, then the realization of dynamic password notification strategy is fairly simple, only need password be sent to terminals such as targeted mails address or mobile phone and get final product;
If there is not network, then can password be sent to serial ports, the method by the easy realization of the help of host the transmission of dynamic password.
Referring to accompanying drawing 3, the dynamic password notification strategy of method of the present invention in present embodiment specifically can may further comprise the steps:
(1) the username and password E that generates is outputed to (step 121) in the serial ports, as: serial ports outputs to ttyS0 under ubuntu9.04, and serial ports outputs to COM1 under windows2003;
(2) serial ports that in host, obtains virtual machine is exported (ttyS0 or COM1) (step 122);
(3) in host, resolve username and password E (step 123);
(4) through host username and password is sent to user's (step 124).
So far the dynamic generation and the use implementation method of the virtual machine password of present embodiment have been accomplished; In order to ensure above-mentioned implementation of strategies and can be periodically or irregular enforcement reset function; To solve the cryptographic validity problem; Further improve cipher safety, present embodiment is further comprising the steps of.
4) virtual machine dynamic password setting program is set and automatically performs (step 13)
At first realize the starting up, so that each the startup changed password automatically;
Under ubuntu9.04, can virtual machine dynamic password setting program starting up be set in the rc.local file through virtual machine dynamic password setting program is joined;
Under windows2003, can automatically perform through virtual machine dynamic password setting program is set in group policy, realize virtual machine dynamic password setting program starting up.
5) virtual machine dynamic password setting program is set and periodically carries out (step 14)
Secondly, because under the general situation (as: virtual machine of Web service is provided), the each run cycle of virtual machine is all very long, maybe be for reaching the several months or the whole year, static password is provided with and can constantly reduces along with the prolongation security of service time.Under the situation of virtual machine long-time running, for the security that solves password along with the problem that the growth of service time constantly dies down, can set virtual machine dynamic password setting program and periodically carry out.
Under ubuntu9.04, can order the periodicity that virtual machine dynamic password setting program is set to be carried out through corntab-e is set;
Logical can the mistake is provided with the periodicity execution that Mission Planning Program is provided with virtual machine dynamic password setting program under windows2003.
More than this several steps (step 10-14) generally all be the work of accomplishing at the virtual machine installation phase.
6) (at this moment step 15) will automatically perform the dynamic generation strategy of password, and generating and to be provided with new password, and password that will be new is notified host or user to restart virtual machine.
In the present embodiment, in the virtual machine activation process, can automatically perform virtual machine dynamic password setting program and reset the virtual machine password, and user name and new password are outputed in the serial ports; Host rhe15.4 can obtain serial ports output; Analysis user name and password send to the user with user name and new password at last, and its Notification Method can adopt existing safety method; Mail for example, modes such as encrypting database.
In the present embodiment; For for simplicity; User name adopts the system default name; The user of ubuntu9.04 is called root, and the user of Windows2003 is called administrator, and the ubuntu9.04 password that we obtain when certain once opens is that 860a5b43, Windows2003 password are 1gcv9vil; We can see that the password of generation all is at random, has good security.
7) the username and password login virtual machine that in the virtual machine operational process, obtains, the cycle (step 16) of revising the generation of virtual machine dynamic password, setting and notification strategy as required and periodically carrying out
In the virtual machine operation phase; The user can use the password that obtains perhaps to be remotely logged in the system through this locality; And modification dynamic password Provisioning Policy and password notification strategy; And can manually carry out the dynamic password generation strategy, generate and be provided with new password, and the password that will dynamically generate notice host or user.
For the virtual machine (as: virtual machine of Web service is provided) of long-time running, the user can set the time that is provided with automatically of dynamic password, like " password of resetting every day, or the password of resetting weekly " or the like.
Present embodiment is only explained the process that the virtual machine dynamic password is provided with the virtual machine instance of ubuntu9.04 and windows2003 system; In fact the present invention is applicable to the virtual machine of any system; Wherein, most typical application scenarios is the virtual machine of Linux and Windows system.More than be that virtual machine instance with new installation describes; It is understandable that the present invention also can implement on already installed virtual machine, at this moment can login the laggard single stepping of advancing of virtual system with former static password; This process those skilled in the art all can understand, and do not repeat them here.
The above person; Be merely explanation preferred implementation of the present invention, and unrestricted scope of the present invention, any those skilled in the art; Do not breaking away from the spirit and scope of the present invention; When doing a little change and retouching, promptly all according to equalization variation and modification that the present invention did, should be claim of the present invention and contain.