CN111125668A - Method and system for enhancing login security of Linux operating system based on mobile terminal - Google Patents
Method and system for enhancing login security of Linux operating system based on mobile terminal Download PDFInfo
- Publication number
- CN111125668A CN111125668A CN201910939718.XA CN201910939718A CN111125668A CN 111125668 A CN111125668 A CN 111125668A CN 201910939718 A CN201910939718 A CN 201910939718A CN 111125668 A CN111125668 A CN 111125668A
- Authority
- CN
- China
- Prior art keywords
- login
- mobile terminal
- authentication
- operating system
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/36—User authentication by graphic or iconic representation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephone Function (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a method for enhancing the login security of a Linux operating system based on a mobile terminal, which is applied to the environment of an authentication server, a client and the mobile terminal, and comprises the following steps: the method comprises the steps that a client displays a two-dimensional code on a login interface of the client, the two-dimensional code comprises login authentication request information, a mobile terminal scans the two-dimensional code displayed on the login interface of the client to obtain the login authentication request information, one-time login verification information is generated by using identity identification information of the mobile terminal and the login authentication request information, the one-time login verification information is sent to an authentication server, the authentication server judges whether the one-time login verification information from the mobile terminal is valid or not, and if the one-time login verification information is valid, the authentication server sends a login user name of an operating system and a successful verification result to the client. The invention can effectively solve the technical problem that the login user can not log in the Linux operating system when forgetting the static password in the login mode of the existing Linux operating system.
Description
Technical Field
The invention belongs to the technical field of information security and internet communication, and particularly relates to a method and a system for enhancing the login security of a Linux operating system based on a mobile terminal.
Background
Linux has found increasingly widespread use in the scientific computing environment as a set of Unix-like operating systems that are free to use and propagate.
The login mode of the existing Linux operating system is mainly that a login user inputs a correct static password, but the login mode has some technical problems which are not negligible: firstly, a login user needs to remember the static password, and once the login user forgets, the login user can not log in the Linux operating system completely; secondly, the static password is stored in a file of the Linux operating system, and the file is easily stolen, so that the static password is easily cracked.
Disclosure of Invention
Aiming at the defects or the improvement requirements in the prior art, the invention provides a method and a system for enhancing the login security of a Linux operating system based on a mobile terminal, and aims to effectively solve the technical problems that a login user cannot log in the Linux operating system when forgetting a static password in the login mode of the existing Linux operating system and the static password is easy to crack because a file storing the static password is easy to steal.
To achieve the above object, according to one aspect of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client, and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method comprising the steps of:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
(2) the mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
(3) the authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
(6) the authentication server informs the client that the verification fails, and the process is finished.
Preferably, the login authentication request message includes one or more of a nonce, a client hardware identification, and a Linux operating system identification of the client.
Preferably, the identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information of the login user of the mobile terminal.
Preferably, when the identification information of the mobile terminal is the private key of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to perform digital signature operation on the login authentication request message by using the private key of the mobile terminal to generate signature information as the one-time login verification information;
when the identity identification information of the mobile terminal is the encrypted certificate of the mobile terminal, the identity identification information of the mobile terminal and the login authentication request message are used for generating the one-time login authentication information, and the process is that the encrypted certificate of the mobile terminal is used for carrying out encryption operation on the login authentication request message to generate the encrypted information as the one-time login authentication information;
when the identity identification information of the mobile terminal is the seed key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the seed key of the mobile terminal to perform dynamic password operation on the login authentication request message to generate a one-time dynamic password as the one-time login verification information;
when the identification information of the mobile terminal is the biological identification information of the login user of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to calculate the login authentication request message by using the biological identification information of the login user of the mobile terminal to generate the authentication information as the one-time login verification information.
Preferably, when the one-time login verification information is signature information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid;
when the one-time login verification information is encrypted information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, searching a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server by using the private key, decrypting the encrypted information by using the private key, if the decryption is successful, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is dynamic password information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, judging whether the dynamic password is valid or not by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server carries out inverse operation on the one-time login verification information, analyzes the login user biological identification information of the mobile terminal, compares the biological identification information with the stored login user biological characteristic identification information of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, otherwise, the one-time login verification information is indicated to be invalid.
Preferably, the operating system login user name is included in the two-dimensional code of step (1), or is built in the mobile terminal of step (2), or is created by the authentication server when the mobile terminal registers with it in step (4).
Preferably, after the step (4) and before the step (5), the client performs a secondary authentication process according to an authentication method corresponding to a login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a secondary authentication result.
Preferably, the client executes the secondary authentication process according to the authentication mode corresponding to the login user name of the operating system, specifically, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and the login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
According to another aspect of the present invention, there is provided a system for enhancing the login security of a Linux operating system based on a mobile terminal, which is applied in the environment of an authentication server, a client terminal, and the mobile terminal, wherein the authentication server is communicatively connected to both the client terminal and the mobile terminal, the system comprising:
the system comprises a first module, a second module and a third module, wherein the first module is arranged in a client and is used for displaying a two-dimensional code on a login interface of the client, and the two-dimensional code comprises login authentication request information;
the second module is arranged in the mobile terminal and used for scanning the two-dimensional code displayed on the login interface of the client terminal to acquire login authentication request information, generating one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sending the one-time login verification information to the authentication server;
the third module is arranged in the authentication server and used for judging whether the one-time login verification information from the mobile terminal is valid or not, if so, switching to the fourth module, and otherwise, switching to the sixth module;
the fourth module is arranged in the authentication server and used for sending the login user name of the operating system and the verification success result to the client;
a fifth module, which is arranged in the client and used for logging in the operating system by using the operating system to log in the user name according to the successful verification result, and the process is finished;
and the sixth module is arranged in the authentication server and used for notifying the client that the verification fails and finishing the process.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) because the invention provides a mode of logging in the Linux operating system by using the mobile terminal, the logging user does not need to remember the static password, thereby solving the technical problem that the prior static password logging in the Linux system can not log in when the logging user forgets the static password;
(2) the process of generating the one-time login verification information and the process of authenticating the validity of the one-time login verification information both use the mobile terminal identity identification information and adopt the password technology (namely signature, encryption and authentication processes) to generate the dynamic one-time login verification information, thereby improving the login security level of an operating system and solving the technical problem that a static password is easy to crack by a hacker in the existing login mode;
(3) the invention realizes Linux system login based on the mobile terminal, thereby improving the safety of Linux local account information (namely an operating system login user name and a login password), and solving the technical problem that the static password is easy to crack because a file storing the static password is easy to steal in the existing login mode.
(4) According to the authentication method, the secondary identity authentication is executed according to the authentication mode corresponding to the user name of the login user of the operating system, and the factor used in the secondary identity authentication process is different from the factor used in the process of authenticating the validity of the one-time login verification information, so that the authentication safety can be further improved;
(5) the invention is realized based on the mobile terminal, so the operation of logging in the user is simple and the carrying is convenient.
Drawings
Fig. 1 is a flowchart of a method for enhancing the login security of a Linux operating system based on a mobile terminal according to a first embodiment of the present invention.
Fig. 2 is a flowchart of a method for enhancing the login security of the Linux operating system based on the mobile terminal according to a second embodiment of the present invention.
Fig. 3 is a flowchart of a method for enhancing the login security of the Linux operating system based on the mobile terminal according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
For the purpose of facilitating understanding of the present invention, the technical terms of the present invention will be explained and explained first:
two-dimensional code (Two-dimensional bar code): the data symbol information is recorded by black and white patterns distributed on a plane (two-dimensional direction) according to a certain rule by using a certain specific geometric figure, and the data symbol information is automatically read by an image input device or a photoelectric scanning device so as to realize the automatic information processing. The concept of "0" and "1" bit stream forming the internal logic basis of computer is used ingeniously in coding, several geometric forms correspondent to binary system are used to represent literal numerical information, and can be automatically read by means of image input equipment or photoelectric scanning equipment so as to implement automatic information processing. It has some commonality of barcode technology: each code system has its specific character set; each character occupies a certain width; has certain checking function and the like. Meanwhile, the method also has the function of automatically identifying information of different rows and processing the graph rotation change points.
Authentication server (Authentication server): the authentication server is responsible for receiving a connection request of a login user, authenticating the legality of the login user, and then returning an authentication result to the login user.
As shown in fig. 1, according to a first embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client terminal, and the mobile terminal, wherein the authentication server is communicatively connected to both the client terminal and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login verification information and an operating system login user name built in the mobile terminal to an authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) The authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include the step of the client performing secondary authentication according to the authentication method corresponding to the login user name of the operating system, and determining whether to allow the login user corresponding to the login user name to log in the operating system according to the result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
As shown in fig. 2, according to a second embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code of a login user on a login interface of the client, wherein the two-dimensional code comprises a login user name of the operating system and a login authentication request message;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
For example, the login User may be a Root User, an Admin User, or a User that logs in to the Linux operating system.
Specifically, the operating system login user name is an operating system login user name for logging in the Linux operating system.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain login authentication request information and an operating system login user name, generates one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sends the one-time login verification information and the operating system login user name to an authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) And the authentication server sends the login user name of the operating system and the successful verification result to the client.
(5) The client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include a step in which the client performs secondary authentication according to an authentication method corresponding to the login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
As shown in fig. 3, according to a third embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) The authentication server sends the successful verification result and the operating system login user name created when the mobile terminal registers to the authentication server to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include a step in which the client performs secondary authentication according to an authentication method corresponding to the login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to the authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to a login user name to log in the operating system, and if the message passing the authentication of the authentication server is not received, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (9)
1. A method for enhancing the login security of a Linux operating system based on a mobile terminal is applied to the environments of an authentication server, a client and the mobile terminal, wherein the authentication server is in communication connection with both the client and the mobile terminal, and the method is characterized by comprising the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
(2) the mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
(3) the authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
(6) the authentication server informs the client that the verification fails, and the process is finished.
2. The method for enhancing Linux operating system login security based on the mobile terminal of claim 1, wherein the login authentication request message comprises one or more of a nonce, a client hardware identifier, and a Linux operating system identifier of the client.
3. The method for enhancing the login security of the Linux operating system based on the mobile terminal of claim 1, wherein the identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information of a login user of the mobile terminal.
4. The method for enhancing Linux operating system login security based on the mobile terminal of claim 3, wherein,
when the identity identification information of the mobile terminal is the private key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the private key of the mobile terminal to perform digital signature operation on the login authentication request message to generate signature information as the one-time login verification information;
when the identity identification information of the mobile terminal is the encrypted certificate of the mobile terminal, the identity identification information of the mobile terminal and the login authentication request message are used for generating the one-time login authentication information, and the process is that the encrypted certificate of the mobile terminal is used for carrying out encryption operation on the login authentication request message to generate the encrypted information as the one-time login authentication information;
when the identity identification information of the mobile terminal is the seed key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the seed key of the mobile terminal to perform dynamic password operation on the login authentication request message to generate a one-time dynamic password as the one-time login verification information;
when the identification information of the mobile terminal is the biological identification information of the login user of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to calculate the login authentication request message by using the biological identification information of the login user of the mobile terminal to generate the authentication information as the one-time login verification information.
5. The method for enhancing Linux operating system login security based on the mobile terminal of claim 4, wherein,
when the one-time login verification information is signature information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, verifying the validity of the signature information by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is encrypted information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, searching a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server by using the private key, decrypting the encrypted information by using the private key, if the decryption is successful, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is dynamic password information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, judging whether the dynamic password is valid or not by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server carries out inverse operation on the one-time login verification information, analyzes the login user biological identification information of the mobile terminal, compares the biological identification information with the stored login user biological characteristic identification information of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, otherwise, the one-time login verification information is indicated to be invalid.
6. The method for enhancing Linux operating system login security based on the mobile terminal according to claim 1, wherein the operating system login user name is included in the two-dimensional code of step (1), or is built in the mobile terminal of step (2), or is created by the authentication server when the mobile terminal registers with the authentication server in step (4).
7. The method according to claim 1, further comprising, after the step (4) and before the step (5), the step of executing, by the client, a secondary authentication process according to an authentication method corresponding to the login user name of the operating system, and determining whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
8. The method for enhancing the login security of the Linux operating system based on the mobile terminal according to claim 7, wherein the secondary authentication process is executed by the client according to the authentication mode corresponding to the login user name of the operating system, specifically, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM application program to obtain the authentication mode of the login user name of the operating system, if the authentication mode is null, the authentication process is not executed, and the login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
9. A system for enhancing the login security of a Linux operating system based on a mobile terminal is applied to the environments of an authentication server, a client terminal and the mobile terminal, wherein the authentication server is in communication connection with both the client terminal and the mobile terminal, and the system is characterized by comprising:
the system comprises a first module, a second module and a third module, wherein the first module is arranged in a client and is used for displaying a two-dimensional code on a login interface of the client, and the two-dimensional code comprises login authentication request information;
the second module is arranged in the mobile terminal and used for scanning the two-dimensional code displayed on the login interface of the client terminal to acquire login authentication request information, generating one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sending the one-time login verification information to the authentication server;
the third module is arranged in the authentication server and used for judging whether the one-time login verification information from the mobile terminal is valid or not, if so, switching to the fourth module, and otherwise, switching to the sixth module;
the fourth module is arranged in the authentication server and used for sending the login user name of the operating system and the verification success result to the client;
a fifth module, which is arranged in the client and used for logging in the operating system by using the operating system to log in the user name according to the successful verification result, and the process is finished;
and the sixth module is arranged in the authentication server and used for notifying the client that the verification fails and finishing the process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910939718.XA CN111125668A (en) | 2019-09-30 | 2019-09-30 | Method and system for enhancing login security of Linux operating system based on mobile terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910939718.XA CN111125668A (en) | 2019-09-30 | 2019-09-30 | Method and system for enhancing login security of Linux operating system based on mobile terminal |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111125668A true CN111125668A (en) | 2020-05-08 |
Family
ID=70495365
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910939718.XA Pending CN111125668A (en) | 2019-09-30 | 2019-09-30 | Method and system for enhancing login security of Linux operating system based on mobile terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111125668A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112291218A (en) * | 2020-10-22 | 2021-01-29 | 四川长虹电器股份有限公司 | Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm |
CN115085968A (en) * | 2022-04-29 | 2022-09-20 | 麒麟软件有限公司 | Login authentication method based on custom tag under Linux |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195932A (en) * | 2010-03-05 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for realizing network identity authentication based on two pieces of isolation equipment |
CN103001974A (en) * | 2012-12-26 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Method, system and device used for controlling login and based on two-dimensional code |
CN103001973A (en) * | 2012-12-26 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Method, system and device used for controlling login and based on two-dimensional code |
CN103617531A (en) * | 2013-12-16 | 2014-03-05 | 信雅达系统工程股份有限公司 | Safety payment method and device based on credible two-dimension code |
CN103944877A (en) * | 2014-03-02 | 2014-07-23 | 王恩惠 | Method and system for safely logging on bank website based on two-dimension code |
CN104378368A (en) * | 2014-11-10 | 2015-02-25 | 武汉传神信息技术有限公司 | Code scanning log-in method and system |
CN105897424A (en) * | 2016-03-14 | 2016-08-24 | 深圳奥联信息安全技术有限公司 | Method for enhancing identity authentication |
CN105933353A (en) * | 2016-07-05 | 2016-09-07 | 北京万维星辰科技有限公司 | Method and system for realizing secure login |
CN106936803A (en) * | 2015-12-31 | 2017-07-07 | 亿阳安全技术有限公司 | Two-dimensional code scanning certification login method and relevant apparatus |
CN107277059A (en) * | 2017-08-08 | 2017-10-20 | 沈阳东青科技有限公司 | A kind of one-time password identity identifying method and system based on Quick Response Code |
CN107332659A (en) * | 2017-05-24 | 2017-11-07 | 舒翔 | A kind of identity identifying method based on biological characteristic, storage medium and system |
CN108259445A (en) * | 2016-12-29 | 2018-07-06 | 上海格尔软件股份有限公司 | MS windows desktops Security Login System and its login method based on smart mobile phone |
CN108881222A (en) * | 2018-06-15 | 2018-11-23 | 郑州信大壹密科技有限公司 | Strong identity authentication system and method based on PAM framework |
CN108923931A (en) * | 2018-06-27 | 2018-11-30 | 努比亚技术有限公司 | A kind of electronic certificate processing method, equipment and computer readable storage medium |
CN109831463A (en) * | 2019-03-29 | 2019-05-31 | 大连九锁网络有限公司 | Intelligent terminal security protection system for operating system login authentication |
-
2019
- 2019-09-30 CN CN201910939718.XA patent/CN111125668A/en active Pending
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195932A (en) * | 2010-03-05 | 2011-09-21 | 北京路模思科技有限公司 | Method and system for realizing network identity authentication based on two pieces of isolation equipment |
CN103001974A (en) * | 2012-12-26 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Method, system and device used for controlling login and based on two-dimensional code |
CN103001973A (en) * | 2012-12-26 | 2013-03-27 | 百度在线网络技术(北京)有限公司 | Method, system and device used for controlling login and based on two-dimensional code |
CN103617531A (en) * | 2013-12-16 | 2014-03-05 | 信雅达系统工程股份有限公司 | Safety payment method and device based on credible two-dimension code |
CN103944877A (en) * | 2014-03-02 | 2014-07-23 | 王恩惠 | Method and system for safely logging on bank website based on two-dimension code |
CN104378368A (en) * | 2014-11-10 | 2015-02-25 | 武汉传神信息技术有限公司 | Code scanning log-in method and system |
CN106936803A (en) * | 2015-12-31 | 2017-07-07 | 亿阳安全技术有限公司 | Two-dimensional code scanning certification login method and relevant apparatus |
CN105897424A (en) * | 2016-03-14 | 2016-08-24 | 深圳奥联信息安全技术有限公司 | Method for enhancing identity authentication |
CN105933353A (en) * | 2016-07-05 | 2016-09-07 | 北京万维星辰科技有限公司 | Method and system for realizing secure login |
CN108259445A (en) * | 2016-12-29 | 2018-07-06 | 上海格尔软件股份有限公司 | MS windows desktops Security Login System and its login method based on smart mobile phone |
CN107332659A (en) * | 2017-05-24 | 2017-11-07 | 舒翔 | A kind of identity identifying method based on biological characteristic, storage medium and system |
CN107277059A (en) * | 2017-08-08 | 2017-10-20 | 沈阳东青科技有限公司 | A kind of one-time password identity identifying method and system based on Quick Response Code |
CN108881222A (en) * | 2018-06-15 | 2018-11-23 | 郑州信大壹密科技有限公司 | Strong identity authentication system and method based on PAM framework |
CN108923931A (en) * | 2018-06-27 | 2018-11-30 | 努比亚技术有限公司 | A kind of electronic certificate processing method, equipment and computer readable storage medium |
CN109831463A (en) * | 2019-03-29 | 2019-05-31 | 大连九锁网络有限公司 | Intelligent terminal security protection system for operating system login authentication |
Non-Patent Citations (1)
Title |
---|
邓增涛: "《Red Hat Linux 6.5高级应用教程》", 31 March 2000, 海洋出版社 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112291218A (en) * | 2020-10-22 | 2021-01-29 | 四川长虹电器股份有限公司 | Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm |
CN112291218B (en) * | 2020-10-22 | 2022-02-01 | 四川长虹电器股份有限公司 | Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm |
CN115085968A (en) * | 2022-04-29 | 2022-09-20 | 麒麟软件有限公司 | Login authentication method based on custom tag under Linux |
CN115085968B (en) * | 2022-04-29 | 2023-08-04 | 麒麟软件有限公司 | Login authentication method based on custom tag under Linux |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102493744B1 (en) | Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server | |
CN104065652B (en) | A kind of auth method, device, system and relevant device | |
CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
CN111031539A (en) | Method and system for enhancing login security of Windows operating system based on mobile terminal | |
US20140053251A1 (en) | User account recovery | |
WO2019226115A1 (en) | Method and apparatus for user authentication | |
US11665156B2 (en) | Method and system for securely authenticating a user by an identity and access service using a pictorial code and a one-time code | |
CN104767616A (en) | Message processing method, system and related device | |
CN104767617A (en) | Message processing method, system and related device | |
CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
CN109496443B (en) | Mobile authentication method and system therefor | |
CN112313983A (en) | User authentication using companion device | |
CN111083100B (en) | Method and system for enhancing login security of Linux operating system based on message pushing | |
CN113641973A (en) | Identity authentication method, system and medium | |
CN111125668A (en) | Method and system for enhancing login security of Linux operating system based on mobile terminal | |
CN111131140B (en) | Method and system for enhancing login security of Windows operating system based on message pushing | |
CN110995654B (en) | Terminal temporary authorization method, device and system based on dynamic two-dimensional code | |
CN115801450B (en) | Multi-dimensional joint authentication method and system for time and terminal | |
CN112364322A (en) | Safety verification system and method for instant communication tool | |
CN108965335B (en) | Method for preventing malicious access to login interface, electronic device and computer medium | |
CN114584324B (en) | Identity authorization method and system based on block chain | |
CN111078649A (en) | Block chain-based on-cloud file storage method and device and electronic equipment | |
CN106533685B (en) | Identity authentication method, device and system | |
CN115086090A (en) | Network login authentication method and device based on UKey | |
KR101936941B1 (en) | Electronic approval system, method, and program using biometric authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |