CN116933232A - BMC-based server password security management method and device - Google Patents

Abstract

The application discloses a server password security management method and device based on BMC, wherein the method comprises the steps of responding to authentication operation of a first user on a boot loader interface, calling intelligent graphic computing service in the BMC, and locally acquiring or remotely acquiring first biological characteristic data of the first user; calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by carrying out local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and calculating the acquired second biological characteristic data; and when the comparison is passed, authorizing the first user to control operation on the startup loader interface. And when the comparison is not passed, shutting down or calling the intelligent graphic computing service again to perform the comparison. The application realizes the safe and effective management of the server password setting and verification, is not easy to crack, and improves the safety.

Description

BMC-based server password security management method and device

Technical Field

The application relates to the technical field of server security, in particular to a server password security management method and device based on BMC.

Background

The baseboard management controller (Baseboard Management Controller, BMC) management system is an embedded management system independent of a host operating system on a server motherboard, supports an industry standard IPMI (IntelligentPlatform Management Interface ) protocol, and is used for providing a remote management function for a server by utilizing a virtual keyboard, a mouse and the like. In the process of server management, the security of a server system is particularly important, the password intensity of an administrator is also increasing, and a remote login interface is an interface of the administrator management system, so that the security of the server is ensured, and the high-intensity password design is particularly important. Meanwhile, the server equipment has very high requirements on safety, and particularly, the server equipment is applied to high-performance servers of important national institutions such as finance, traffic and electric power, and the authority of an administrator is particularly important. When a server manager of each company or enterprise works operates a server in charge of the manager, only a high-authority manager can operate the control server.

When the server is logged in and started, the firmware loads an operating system by starting a Linux petboot kernel stored in a firmware flash memory chip, the petboot is a platform-independent starting loading program based on a Linux kexec hot starting mechanism, a disk and kexec for storing the operating system which a user wants to start are searched through the petiboot, password verification is needed to be carried out on the server in the petiboot stage, however, the password design of the server is currently a universal password combination of numbers, characters, special symbols and the like, the password combination is uniformly verified after a password is input into a remote browser interface of a BMC, the server can be operated, the password design and verification mode are simple and single, the server is easy to be broken, the password security level is low, and the security cannot be guaranteed.

Disclosure of Invention

The application provides a server password safety management method and device based on BMC, which realize the safety and effective management of server password setting and verification, prevent the server from being cracked and improve the safety of the server.

In order to solve the technical problems, an embodiment of the present application provides a server password security management method based on BMC, including:

responding to authentication operation of a first user on a boot loader interface, calling intelligent graphic computing service in the BMC, and locally acquiring or remotely acquiring first biological characteristic data of the first user;

calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by carrying out local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and calculating the acquired second biological characteristic data;

and when the comparison is passed, authorizing the first user to control operation on the startup loader interface.

According to the embodiment of the application, the intelligent graphic computing service in the BMC is called in response to the authentication operation of the first user on a bootloader interface (petitboot interface), and the first biological characteristic data of the first user is obtained locally or remotely; calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by performing local acquisition or remote acquisition of second biological characteristic data on the second user according to intelligent graphic calculation service in the BMC and performing calculation on the acquired second biological characteristic data. The pre-stored second hash password value of the second user is a hash password value of a server administrator, and in order to ensure the security of the server, the pre-stored second hash password value of the second user must be compared with the hash password value of the administrator when the current server operator (the first user) needs to operate the server. And when the comparison is passed, authorizing the control operation of the current server operator on the startup loader interface. When the server performs petitboot login, user biological characteristic data is obtained remotely or locally through the intelligent graphic computing service, corresponding computation and comparison are performed, safe and effective management of server password setting and verification are achieved, password security level is high, the intelligent computing service is started on a BMC remote browser interface for login verification, manual input of a user is not needed, only an administrator can enter a resident system, the resident system cannot be cracked, and the security of the server is improved.

As a preferred solution, the remote obtaining of the first biometric data of the first user specifically includes:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a first core service of a first user remote device through a first network;

and sending a first starting command to a first core service of the first user remote equipment according to a communication protocol, enabling the first user remote equipment to receive the first starting command and start the first core service, calling a driving interface of a first external equipment connected with the first user remote equipment, starting the first external equipment to work, enabling the first external equipment to collect first biological characteristic data of the first user, and returning the collected first biological characteristic data of the first user to the intelligent graphic computing service through the first core service.

As a preferred solution, the first biometric data of the first user is obtained locally, specifically:

and calling a biological information collection service in the BMC, calling a driving interface of a second external device connected with the BMC through a second network, starting the second external device to work, so that the second external device collects first biological characteristic data of the first user, calling the biological information collection service, and returning the collected first biological characteristic data of the first user to the intelligent graphic calculation service.

As a preferred scheme, a first hash password value corresponding to the first biological characteristic data is calculated, specifically:

combining the first biological characteristic data into a character string and storing the character string in a memory buffer area, and carrying out byte-by-byte signature on the data in the memory buffer area according to a pre-stored secret key to obtain signature data; the pre-stored secret key is generated through an asymmetric encryption algorithm when the acquired second biological characteristic data is calculated;

and carrying out hash calculation on the signature data for a first preset number of times to obtain a first hash password value.

Preferably, the authentication operation of the first user on the boot loader interface is responded, specifically:

and starting the kernel mirror image file according to the authentication operation, communicating with the BMC through a standard protocol when the initialization of the kernel mirror image file is completed, and enabling the BMC to obtain a starting verification command by analyzing standard data of the standard protocol and starting intelligent graphic computing service of the BMC in the server according to the starting verification command.

Preferably, the method further comprises: when the comparison fails, counting the times of the comparison failing to pass, and obtaining authentication failure times;

when the authentication failure times are larger than the second preset times, shutting down;

when the authentication failure times are not more than the second preset times, calling intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.

As a preferred scheme, the first external device collects first biological characteristic data of the first user, specifically:

starting a hot plug camera to collect facial feature data of a first user;

starting fingerprint acquisition equipment to acquire fingerprint data of a first user;

starting a user bracelet and collecting heartbeat data of a first user.

As a preferred solution, according to the intelligent graphic computing service in the BMC, the second user is remotely obtained from the second biometric data, specifically:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a second core service of a second user remote device through a third network;

and sending a second starting command to a second core service of the second user remote equipment according to the communication protocol, enabling the second user remote equipment to receive the second starting command and start the second core service, calling a driving interface of a third external equipment connected with the second user remote equipment, starting the third external equipment to work, enabling the third external equipment to collect second biological characteristic data of the second user, and returning the collected second biological characteristic data of the second user to the intelligent graphic computing service through the second core service.

In order to solve the same technical problem, the embodiment of the application also provides a server password security management device based on BMC, which comprises: the method comprises the steps of acquiring a biological characteristic data module, a password comparison module and an authorization control module;

the module for acquiring the biological characteristic data is used for responding to the authentication operation of the first user on the boot loader interface, calling intelligent graphic computing service in the BMC, and acquiring the first biological characteristic data of the first user locally or remotely;

the password comparison module is used for calculating a first hash password value corresponding to the first biological characteristic data and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by carrying out local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and calculating the acquired second biological characteristic data;

and the authorization control module is used for authorizing the control operation of the first user on the startup loader interface when the comparison is passed.

Preferably, the method further comprises a repeated authentication module;

the repeated authentication module is used for counting the times of failed comparison when the comparison fails, so as to obtain authentication failure times;

when the authentication failure times are larger than the second preset times, shutting down;

when the authentication failure times are not more than the second preset times, calling intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.

Drawings

Fig. 1: the application provides a flow diagram of an embodiment of a server password security management method based on BMC;

fig. 2: the application provides a flow chart for generating an administrator hash password value of an embodiment of a server password security management method based on BMC;

fig. 3: the application provides a structural schematic diagram of an embodiment of a server password security management device based on BMC.

Detailed Description

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

It should be noted that the kernel image file is a Linux kernel which is specially processed, and is a Linux kernel image file. IPMI is an abbreviation for intelligent platform management interface (Intelligent Platform Management Interface), and standard protocol is a generic standard protocol. petitboot is a bootloader called based on kexec, and is a boot loader independent of a platform based on a Linux kexec hot start mechanism.

Example 1

Referring to fig. 1, a flow chart of a server password security management method based on BMC according to an embodiment of the present application is shown. The server password security management method is suitable for BMC password management, the user biological characteristic data is obtained remotely or locally through intelligent graphic computing service, corresponding computation and comparison are carried out, and the user operation behavior is authorized, so that the server is not easy to crack, and the security of the server is improved. The server password security management method comprises steps 101 to 104, wherein the steps are as follows:

step 101: and responding to authentication operation of the first user on the boot loader interface, calling intelligent graphic computing service in the BMC, and locally acquiring or remotely acquiring first biological characteristic data of the first user.

In this embodiment, the first user is the current server operator. The intelligent graphic computing service in the BMC is a background process, and a server local interface or a user remote device interface is called through a network, so that the server or the user remote device executes corresponding actions, such as opening a camera, collecting data and the like. It should be noted that, the BMC is an independent control system on the server platform.

Optionally, the authentication operation of the first user on the boot loader interface is responded, specifically:

and starting the kernel mirror image file according to the authentication operation, communicating with the BMC through a standard protocol when the initialization of the kernel mirror image file is completed, and enabling the BMC to obtain a starting verification command by analyzing standard data of the standard protocol and starting intelligent graphic computing service of the BMC in the server according to the starting verification command.

It should be noted that, when the user needs to modify the server setting, the corresponding password authentication needs to be performed. The first user is a user who wants to start the loader petitboot currently, namely a current server operator, and needs to verify whether the first user is an administrator or not in order to ensure the security of the server. In the starting stage, when a user enters the Petitboot, the Linux kernel image file zImage starts the intelligent graphic computing service of the BMC through the IPMI standard protocol, and whether the first user is an administrator or not is verified through the intelligent verification service, so that safety management is carried out. The server is staged when being started, the bootloader petitboot is one of the stages, and the password authentication interface is popped up from the petitboot stage to the petitboot stage.

In this embodiment, when the firmware is started, the kernel image file is started, and after the kernel image file completes initialization of a file system and the like, the kernel image file communicates with the BMC through the IPMI standard protocol. Specifically, by using the IPMI standard protocol, which has a fixed data format, the BMC obtains a command for starting the internal intelligent authentication service, i.e., a start authentication command, by analyzing the IMPI standard data, and starts the intelligent graphic computing service and the intelligent authentication service. The intelligent graphic computing service interacts with a user remote device (such as a user local personal computer) through a network or interacts with a server local external device through the network, starts various external devices, collects the biological characteristic data of the personnel who want to start the loading program petitboot currently, and calculates the hash password value corresponding to the biological characteristic data. The intelligent verification service compares the hash password value with a pre-stored hash password value.

Optionally, the remote obtaining the first biometric data of the first user specifically includes:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a first core service of a first user remote device through a first network;

and sending a first starting command to a first core service of the first user remote equipment according to a communication protocol, enabling the first user remote equipment to receive the first starting command and start the first core service, calling a driving interface of a first external equipment connected with the first user remote equipment, starting the first external equipment to work, enabling the first external equipment to collect first biological characteristic data of the first user, and returning the collected first biological characteristic data of the first user to the intelligent graphic computing service through the first core service.

In this embodiment, when biometric data of a user is obtained remotely, the intelligent graphic computing service communicates with a core service of the remote device of the user (e.g., a local personal computer of the user), and sends a command to the core service according to a communication protocol, and the core service invokes a device driver interface to start an external device to work, collect data, and then returns the data to the intelligent graphic computing service.

Optionally, the first biometric data of the first user is locally acquired, specifically:

and calling a biological information collection service in the BMC, calling a driving interface of a second external device connected with the BMC through a second network, starting the second external device to work, so that the second external device collects first biological characteristic data of the first user, calling the biological information collection service, and returning the collected first biological characteristic data of the first user to the intelligent graphic calculation service.

In this embodiment, when the biometric data of the user is obtained locally, the interface of the server is directly called to perform local collection, for example, external devices such as a low-speed peripheral camera (the camera may be a hot plug device), a fingerprint collection device, and a user bracelet, which are convenient for data collection, may be hung on the BMC.

Optionally, the first external device collects first biometric data of the first user, specifically:

starting a hot plug camera to collect facial feature data of a first user;

starting fingerprint acquisition equipment to acquire fingerprint data of a first user;

starting a user bracelet and collecting heartbeat data of a first user.

In this embodiment, the external device includes a hot plug camera, a fingerprint acquisition device, and a user's bracelet. And acquiring physical sign biological characteristic data of the current user by using a camera, fingerprint acquisition equipment and a user bracelet, wherein the biological characteristic data comprises facial characteristic data of the user, fingerprint data of the user and heartbeat data of the user. When the intelligent graphic computing service receives the biological characteristic data, key data receiving processing can be carried out on the biological characteristic data, for example, fingerprint data of a thumb and an index finger of a user are taken, the facial characteristic data of the data are taken as rough outlines, and heartbeat data of the user are taken as average values within ten minutes.

Step 102: calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by performing local acquisition or remote acquisition of second biological characteristic data on the second user according to intelligent graphic calculation service in the BMC and performing calculation on the acquired second biological characteristic data.

It should be noted that, a high-efficiency graphics computing function is added at the BMC end, so that the BMC end can run graphics computing, and hash computing is performed after signing several types of graphics data (biometric data), and the hash value will be used as the hash password value of the user.

In this embodiment, the second user refers to an administrator of the server, when the password is set for the server, by receiving a cross-process BMC interface start signal and starting an intelligent graphics computing service, the second user performs local acquisition or remote acquisition of second biometric data, performs computation on the acquired second biometric data, obtains a second hash password value, pre-stores the second hash password value into the OTC, stores the second hash password value and a key into the OTC, and copies the second hash password value and the key into the secure U disk, so that later comparison is convenient to call. As an example of this embodiment, in the password design stage of the server administrator, as shown in fig. 2, the administrator accesses the BMC of the server through the remote interface, starts the bio-information collection service of the BMC, starts the camera to collect facial information of the administrator, starts the fingerprint module (fingerprint collection device) to collect fingerprint information of the administrator, starts the bracelet to collect pulse heartbeat information of the administrator, combines bio-information data (biometric data) into a character string, signs the character string with a private key, hashes the signed data three times to obtain a hash value, saves the hash value in the OTC, and copies the hash value to the storage device (such as a secure usb). Note that OTC is a memory chip with a high security level.

In this embodiment, the second hash password value is calculated for the second biometric data of the acquired administrator (second user), which specifically includes: generating a key through an asymmetric encryption algorithm (a unique key can be obtained by directly running the key in a command line window through a production tool when the asymmetric encryption algorithm is used); combining the biological characteristic data of the second user into a character string and storing the character string in a memory buffer area, and carrying out byte-by-byte signature on the data in the memory buffer area according to the secret key to obtain second signature data; and carrying out hash calculation on the second signature data for a first preset number of times to obtain a second hash password value. Storing both the key and the second hashed password value in the OTC facilitates invocation when authenticating the password to the current server operator (first user). As an example of this embodiment, the first preset number of times is 3, that is, three consecutive hash computations are adopted, and the hash computation is performed consecutively multiple times, so that the password strength can be improved.

Optionally, calculating a first hash password value corresponding to the first biometric data specifically includes:

combining the first biological characteristic data into a character string and storing the character string in a memory buffer area, and carrying out byte-by-byte signature on the data in the memory buffer area according to a pre-stored secret key to obtain signature data; the pre-stored secret key is generated through an asymmetric encryption algorithm when the acquired second biological characteristic data is calculated;

and carrying out hash calculation on the signature data for a first preset number of times to obtain a first hash password value.

In this embodiment, a unique key is pre-stored to sign the biometric data, and hash calculation is performed on the signed data multiple times to obtain a first hash password value. The hash computation may generate a hash password value from the command of the command line. As an example of this embodiment, the collected biometric data is signed with a private key (a pre-stored key), and then subjected to three continuous hash computations to obtain the hash password value of this time. The asymmetric encryption algorithm is an RSA encryption algorithm, and the security is realized by virtue of the complexity of decomposing large prime numbers, and the product of the large prime numbers is difficult to decompose, so that the password is difficult to crack.

Optionally, according to the intelligent graphic computing service in the BMC, the second user is remotely obtained from the second biometric data, specifically:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a second core service of a second user remote device through a third network;

and sending a second starting command to a second core service of the second user remote equipment according to the communication protocol, enabling the second user remote equipment to receive the second starting command and start the second core service, calling a driving interface of a third external equipment connected with the second user remote equipment, starting the third external equipment to work, enabling the third external equipment to collect second biological characteristic data of the second user, and returning the collected second biological characteristic data of the second user to the intelligent graphic computing service through the second core service.

In this embodiment, an administrator (second user) of the server sets a password using the BMC remote interface, starts the intelligent graphics computing service, and sets the password by starting the intelligent graphics computing service in the BMC through the cross-process BMC interface during the initial running process of the system. When the password is set, the local server can be used for locally acquiring the biological characteristic data, and the remote equipment of the user can be called for remotely acquiring the biological characteristic data. The mode of the driving external equipment interface adopted by the local acquisition or the remote acquisition during the password setting is correspondingly the same as the mode of the driving external equipment interface adopted by the local acquisition or the remote acquisition during the password verification, and the mode of the local acquisition or the remote acquisition can be selected according to the requirement to acquire the biological characteristic data of the user no matter the password setting or the password verification.

When a new administrator is needed to be added or replaced to the server, the external equipment of the local server can be selected, the external equipment of the remote equipment can be selected for collection, when the new administrator can not record data locally, the collection of the biological characteristic data of the new administrator can be rapidly completed through remote acquisition, the password of the server is rapidly set, the password update management of the server is facilitated, the hash password value of the new administrator of the server is stored, and the later password verification is facilitated.

Optionally, the first hash password value is compared with a pre-stored second hash password value, specifically:

comparing the first hash password value with the second hash password value byte by byte;

if any byte is different, the comparison is not passed;

if all bytes are the same, then the comparison passes.

In this embodiment, the first hash password value obtained by calculation and the hash password value (second hash password value) of the administrator stored in the OTC are compared byte by byte, and when the comparison is performed byte by byte, authentication cannot pass if there is a byte difference, i.e., the comparison cannot pass.

Step 103: and when the comparison is passed, authorizing the first user to control operation on the startup loader interface.

Step 104: when the comparison fails, counting the times of the comparison failing to pass, and obtaining authentication failure times;

when the authentication failure times are larger than the second preset times, shutting down;

when the authentication failure times are not more than the second preset times, calling intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.

In this embodiment, to ensure the security of the server, it is required whether the current server operator (the first user) can operate the server, and perform verification comparison, if the comparison is passed, a startup loader interface will be displayed, and the first user is authorized to control operation on the startup loader interface, and the user can set the system on the startup loader interface, and can enter the operating system after the setting is completed. If the comparison is not passed, judging whether to carry out password verification again according to the authentication failure times, calling intelligent graphic calculation service again when the authentication failure times are smaller than the second preset times, calculating the hash password value again, carrying out comparison authentication again, and shutting down the server and ensuring the safety of the server when the authentication failure times exceed the second preset times. As an example of this embodiment, the second preset number of times is 3, when the first password authentication is different, three authentication opportunities will be given again, and if 4 consecutive authentications are not passed, the server will be automatically powered off.

According to the embodiment of the application, the authentication operation of the first user on the boot loader interface is responded, the intelligent graphic computing service in the BMC is called, and the first biological characteristic data of the first user is obtained locally or obtained remotely; calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by performing local acquisition or remote acquisition of second biological characteristic data on the second user according to intelligent graphic calculation service in the BMC and performing calculation on the acquired second biological characteristic data. The pre-stored second hash password value of the second user is a hash password value of a server administrator, and in order to ensure the security of the server, the pre-stored second hash password value of the second user must be compared with the hash password value of the administrator when the current server operator (the first user) needs to operate the server. And when the comparison is passed, authorizing the control operation of the current server operator on the startup loader interface. When the server performs petitboot login, user biological characteristic data is obtained remotely or locally through the intelligent graphic computing service, corresponding computation and comparison are performed, safe and effective management of server password setting and verification are achieved, password security level is high, the intelligent computing service is started on a BMC remote browser interface for login verification, manual input of a user is not needed, only an administrator can enter a resident system, the resident system cannot be cracked, and the security of the server is improved.

Example two

Accordingly, referring to fig. 3, fig. 3 is a schematic structural diagram of a second embodiment of a server password security management device based on BMC according to the present application. As shown in fig. 3, the server password security management apparatus based on the BMC includes a biometric data acquisition module 301, a password comparison module 302, an authorization control module 303, and a duplicate authentication module 304;

the biometric data acquisition module 301 is configured to respond to an authentication operation of the first user on the boot loader interface, invoke an intelligent graphics computing service in the BMC, and acquire first biometric data of the first user locally or remotely;

the acquired biometric data module 301 includes a response unit 3011, a first remote acquisition unit 3012, and a local acquisition unit 3013;

the response unit 3011 is configured to start the kernel image file according to the authentication operation, and when the initialization of the kernel image file is completed, communicate with the BMC through a standard protocol, and the BMC obtains a start verification command by analyzing standard data of the standard protocol, and starts an intelligent graphics computing service of the BMC in the server according to the start verification command;

the first remote acquisition unit 3012 is configured to invoke a biological information collection service in the BMC, and perform interactive communication between the intelligent graphic computation service and a first core service of the first user remote device through a first network; sending a first starting command to a first core service of the first user remote equipment according to a communication protocol, enabling the first user remote equipment to receive the first starting command and start the first core service, calling a driving interface of a first external equipment connected with the first user remote equipment, starting the first external equipment to work, enabling the first external equipment to collect first biological characteristic data of the first user, and returning the collected first biological characteristic data of the first user to an intelligent graphic computing service through the first core service;

the first remote acquisition unit 3012 further includes a data acquisition subunit;

the data acquisition subunit is used for starting the hot plug camera and acquiring facial feature data of the first user;

starting fingerprint acquisition equipment to acquire fingerprint data of a first user;

starting a user bracelet and collecting heartbeat data of a first user.

The local acquisition unit 3013 is configured to invoke a biological information collection service in the BMC, invoke a driving interface of a second external device connected to the BMC through a second network, and start the second external device to work, so that the second external device collects first biological characteristic data of the first user, invoke the biological information collection service, and return the collected first biological characteristic data of the first user to the intelligent graphics computing service.

The password comparison module 302 is configured to calculate a first hash password value corresponding to the first biometric data, and compare the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by carrying out local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and calculating the acquired second biological characteristic data;

the password comparison module includes a data signature unit 3021, a hash calculation unit 3022, a byte comparison unit 3023, and a second remote acquisition unit 3024;

the data signing unit 3021 is configured to combine the first biometric data into a character string and store the character string in the memory buffer, and sign the data in the memory buffer byte by byte according to a pre-stored key to obtain signature data; the pre-stored secret key is generated through an asymmetric encryption algorithm when the acquired second biological characteristic data is calculated;

the hash calculation unit 3022 is configured to perform hash calculation on the signature data for a first preset number of times, to obtain a first hash password value.

The byte comparison unit 3023 is configured to compare the first hash password value with the second hash password value one by one;

if any byte is different, confirming that the comparison is not passed;

if all bytes are the same, then the validation alignment passes.

The second remote acquiring unit 3024 is configured to invoke the biological information collecting service in the BMC, and perform interactive communication between the intelligent graphic computing service and the second core service of the second user remote device through the third network; and sending a second starting command to a second core service of the second user remote equipment according to the communication protocol, enabling the second user remote equipment to receive the second starting command and start the second core service, calling a driving interface of a third external equipment connected with the second user remote equipment, starting the third external equipment to work, enabling the third external equipment to collect second biological characteristic data of the second user, and returning the collected second biological characteristic data of the second user to the intelligent graphic computing service through the second core service.

The authorization control module 303 is configured to authorize a control operation of the first user on the boot loader interface when the comparison is passed.

The repeated authentication module 304 is configured to count the number of times of failed comparison when the comparison fails, thereby obtaining the number of times of failed authentication; when the authentication failure times are larger than the second preset times, shutting down; when the authentication failure times are not more than the second preset times, calling intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.

By implementing the embodiment of the application, the designed password is high in security level and cannot be cracked through interaction of the intelligent graphic computing service and the local equipment. When Petitboot login is carried out, intelligent verification service is started through the BMC to carry out login verification, manual input of a user is not needed, use of an administrator is facilitated, convenience is improved, meanwhile, a server can be operated only after verification is carried out, and safety of password management is improved.

The server password security management device based on the BMC can implement the server password security management method based on the BMC in the method embodiment. The options in the method embodiments described above are also applicable to this embodiment and will not be described in detail here. The rest of the embodiments of the present application may refer to the content of the above method embodiments, and in this embodiment, no further description is given.

The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present application, and are not to be construed as limiting the scope of the application. It should be noted that any modifications, equivalent substitutions, improvements, etc. made by those skilled in the art without departing from the spirit and principles of the present application are intended to be included in the scope of the present application.

Claims (10)

1. The server password security management method based on the BMC is characterized by comprising the following steps of:

responding to authentication operation of a first user on a boot loader interface, calling intelligent graphic computing service in a BMC, and locally acquiring or remotely acquiring first biological characteristic data of the first user;

calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by performing local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and performing calculation on the acquired second biological characteristic data;

and authorizing the control operation of the first user on the starting loader interface when the comparison is passed.

2. The method for managing server password security based on BMC as recited in claim 1, wherein the remotely acquiring the first biometric data of the first user is specifically:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a first core service of a first user remote device through a first network;

and sending a first starting command to a first core service of the first user remote equipment according to a communication protocol, enabling the first user remote equipment to receive the first starting command and start the first core service, calling a driving interface of a first external equipment connected with the first user remote equipment, starting the first external equipment to work, enabling the first external equipment to collect first biological characteristic data of the first user, and returning the collected first biological characteristic data of the first user to the intelligent graphic computing service through the first core service.

3. The method for managing server password security based on BMC as claimed in claim 2, wherein the locally obtaining the first biometric data of the first user specifically comprises:

and calling a biological information collection service in the BMC, calling a driving interface of a second external device connected with the BMC through a second network, starting the second external device to work, so that the second external device collects first biological characteristic data of the first user, calling the biological information collection service, and returning the collected first biological characteristic data of the first user to the intelligent graphic calculation service.

4. The method for managing server password security based on BMC as claimed in claim 1, wherein the calculating the first hash password value corresponding to the first biometric data specifically comprises:

combining the first biological characteristic data into a character string and storing the character string into a memory buffer area, and carrying out byte-by-byte signature on the data in the memory buffer area according to a pre-stored secret key to obtain signature data; wherein the pre-stored key is generated by an asymmetric encryption algorithm when the acquired second biometric data is calculated;

and carrying out hash calculation on the signature data for a first preset number of times to obtain the first hash password value.

5. The method for managing server password security based on BMC as recited in claim 1, wherein the responding to the authentication operation of the first user on the boot loader interface is specifically:

and starting a kernel mirror image file according to the authentication operation, and communicating with the BMC through a standard protocol when the initialization of the kernel mirror image file is completed, wherein the BMC obtains a starting verification command by analyzing standard data of the standard protocol, and starts intelligent graphic computing service of the BMC in the server according to the starting verification command.

6. The BMC-based server password security management method of claim 5, further comprising:

when the comparison fails, counting the times of the failed comparison to obtain authentication failure times;

when the authentication failure times are larger than the second preset times, shutting down;

when the authentication failure times are not more than the second preset times, performing the calling of the intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.

7. The method for managing server password security based on BMC as claimed in claim 3, wherein the first external device collects first biometric data of the first user, specifically:

starting a hot plug camera to collect facial feature data of the first user;

starting fingerprint acquisition equipment to acquire fingerprint data of the first user;

and starting a user bracelet and collecting heartbeat data of the first user.

8. The method for managing server password security based on BMC as recited in claim 2, wherein the remotely acquiring the second biometric data of the second user according to the intelligent graphics computing service in the BMC comprises:

invoking a biological information collection service in the BMC, and performing interactive communication between the intelligent graphic computation service and a second core service of a second user remote device through a third network;

and sending a second starting command to a second core service of the second user remote equipment according to the communication protocol, enabling the second user remote equipment to receive the second starting command and start the second core service, calling a driving interface of a third external equipment connected with the second user remote equipment, starting the third external equipment to work, enabling the third external equipment to collect second biological characteristic data of the second user, and returning the collected second biological characteristic data of the second user to the intelligent graphic computing service through the second core service.

9. The server password safety management device based on the BMC is characterized by comprising a biological characteristic data acquisition module, a password comparison module and an authorization control module;

the module for acquiring the biological characteristic data is used for responding to the authentication operation of a first user on a starting loader interface, calling intelligent graphic computing service in the BMC and acquiring the first biological characteristic data of the first user locally or remotely;

the password comparison module is used for calculating a first hash password value corresponding to the first biological characteristic data and comparing the first hash password value with a pre-stored second hash password value; the second hash password value is obtained by performing local acquisition or remote acquisition of second biological characteristic data of a second user according to intelligent graphic calculation service in the BMC and performing calculation on the acquired second biological characteristic data;

and the authorization control module is used for authorizing the control operation of the first user on the starting loader interface when the comparison is passed.

10. The BMC-based server password security management apparatus of claim 9, further comprising a duplicate authentication module;

the repeated authentication module is used for counting the times of failed comparison when the comparison fails, so as to obtain authentication failure times;

when the authentication failure times are larger than the second preset times, shutting down;

when the authentication failure times are not more than the second preset times, performing the calling of the intelligent graphic computing service in the BMC again, and obtaining the first biological characteristic data of the first user locally or remotely; and calculating a first hash password value corresponding to the first biological characteristic data, and comparing the first hash password value with a pre-stored second hash password value.