CN111125668A - Method and system for enhancing login security of Linux operating system based on mobile terminal - Google Patents

Method and system for enhancing login security of Linux operating system based on mobile terminal Download PDF

Info

Publication number
CN111125668A
CN111125668A CN201910939718.XA CN201910939718A CN111125668A CN 111125668 A CN111125668 A CN 111125668A CN 201910939718 A CN201910939718 A CN 201910939718A CN 111125668 A CN111125668 A CN 111125668A
Authority
CN
China
Prior art keywords
login
mobile terminal
authentication
operating system
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910939718.XA
Other languages
Chinese (zh)
Inventor
乔海权
胡进
张庆勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Original Assignee
WUHAN ARGUSEC TECHNOLOGY CO LTD
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by WUHAN ARGUSEC TECHNOLOGY CO LTD, Beijing Infosec Technologies Co Ltd filed Critical WUHAN ARGUSEC TECHNOLOGY CO LTD
Priority to CN201910939718.XA priority Critical patent/CN111125668A/en
Publication of CN111125668A publication Critical patent/CN111125668A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a method for enhancing the login security of a Linux operating system based on a mobile terminal, which is applied to the environment of an authentication server, a client and the mobile terminal, and comprises the following steps: the method comprises the steps that a client displays a two-dimensional code on a login interface of the client, the two-dimensional code comprises login authentication request information, a mobile terminal scans the two-dimensional code displayed on the login interface of the client to obtain the login authentication request information, one-time login verification information is generated by using identity identification information of the mobile terminal and the login authentication request information, the one-time login verification information is sent to an authentication server, the authentication server judges whether the one-time login verification information from the mobile terminal is valid or not, and if the one-time login verification information is valid, the authentication server sends a login user name of an operating system and a successful verification result to the client. The invention can effectively solve the technical problem that the login user can not log in the Linux operating system when forgetting the static password in the login mode of the existing Linux operating system.

Description

Method and system for enhancing login security of Linux operating system based on mobile terminal
Technical Field
The invention belongs to the technical field of information security and internet communication, and particularly relates to a method and a system for enhancing the login security of a Linux operating system based on a mobile terminal.
Background
Linux has found increasingly widespread use in the scientific computing environment as a set of Unix-like operating systems that are free to use and propagate.
The login mode of the existing Linux operating system is mainly that a login user inputs a correct static password, but the login mode has some technical problems which are not negligible: firstly, a login user needs to remember the static password, and once the login user forgets, the login user can not log in the Linux operating system completely; secondly, the static password is stored in a file of the Linux operating system, and the file is easily stolen, so that the static password is easily cracked.
Disclosure of Invention
Aiming at the defects or the improvement requirements in the prior art, the invention provides a method and a system for enhancing the login security of a Linux operating system based on a mobile terminal, and aims to effectively solve the technical problems that a login user cannot log in the Linux operating system when forgetting a static password in the login mode of the existing Linux operating system and the static password is easy to crack because a file storing the static password is easy to steal.
To achieve the above object, according to one aspect of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client, and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method comprising the steps of:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
(2) the mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
(3) the authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
(6) the authentication server informs the client that the verification fails, and the process is finished.
Preferably, the login authentication request message includes one or more of a nonce, a client hardware identification, and a Linux operating system identification of the client.
Preferably, the identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information of the login user of the mobile terminal.
Preferably, when the identification information of the mobile terminal is the private key of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to perform digital signature operation on the login authentication request message by using the private key of the mobile terminal to generate signature information as the one-time login verification information;
when the identity identification information of the mobile terminal is the encrypted certificate of the mobile terminal, the identity identification information of the mobile terminal and the login authentication request message are used for generating the one-time login authentication information, and the process is that the encrypted certificate of the mobile terminal is used for carrying out encryption operation on the login authentication request message to generate the encrypted information as the one-time login authentication information;
when the identity identification information of the mobile terminal is the seed key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the seed key of the mobile terminal to perform dynamic password operation on the login authentication request message to generate a one-time dynamic password as the one-time login verification information;
when the identification information of the mobile terminal is the biological identification information of the login user of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to calculate the login authentication request message by using the biological identification information of the login user of the mobile terminal to generate the authentication information as the one-time login verification information.
Preferably, when the one-time login verification information is signature information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid;
when the one-time login verification information is encrypted information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, searching a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server by using the private key, decrypting the encrypted information by using the private key, if the decryption is successful, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is dynamic password information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, judging whether the dynamic password is valid or not by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server carries out inverse operation on the one-time login verification information, analyzes the login user biological identification information of the mobile terminal, compares the biological identification information with the stored login user biological characteristic identification information of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, otherwise, the one-time login verification information is indicated to be invalid.
Preferably, the operating system login user name is included in the two-dimensional code of step (1), or is built in the mobile terminal of step (2), or is created by the authentication server when the mobile terminal registers with it in step (4).
Preferably, after the step (4) and before the step (5), the client performs a secondary authentication process according to an authentication method corresponding to a login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a secondary authentication result.
Preferably, the client executes the secondary authentication process according to the authentication mode corresponding to the login user name of the operating system, specifically, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and the login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
According to another aspect of the present invention, there is provided a system for enhancing the login security of a Linux operating system based on a mobile terminal, which is applied in the environment of an authentication server, a client terminal, and the mobile terminal, wherein the authentication server is communicatively connected to both the client terminal and the mobile terminal, the system comprising:
the system comprises a first module, a second module and a third module, wherein the first module is arranged in a client and is used for displaying a two-dimensional code on a login interface of the client, and the two-dimensional code comprises login authentication request information;
the second module is arranged in the mobile terminal and used for scanning the two-dimensional code displayed on the login interface of the client terminal to acquire login authentication request information, generating one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sending the one-time login verification information to the authentication server;
the third module is arranged in the authentication server and used for judging whether the one-time login verification information from the mobile terminal is valid or not, if so, switching to the fourth module, and otherwise, switching to the sixth module;
the fourth module is arranged in the authentication server and used for sending the login user name of the operating system and the verification success result to the client;
a fifth module, which is arranged in the client and used for logging in the operating system by using the operating system to log in the user name according to the successful verification result, and the process is finished;
and the sixth module is arranged in the authentication server and used for notifying the client that the verification fails and finishing the process.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) because the invention provides a mode of logging in the Linux operating system by using the mobile terminal, the logging user does not need to remember the static password, thereby solving the technical problem that the prior static password logging in the Linux system can not log in when the logging user forgets the static password;
(2) the process of generating the one-time login verification information and the process of authenticating the validity of the one-time login verification information both use the mobile terminal identity identification information and adopt the password technology (namely signature, encryption and authentication processes) to generate the dynamic one-time login verification information, thereby improving the login security level of an operating system and solving the technical problem that a static password is easy to crack by a hacker in the existing login mode;
(3) the invention realizes Linux system login based on the mobile terminal, thereby improving the safety of Linux local account information (namely an operating system login user name and a login password), and solving the technical problem that the static password is easy to crack because a file storing the static password is easy to steal in the existing login mode.
(4) According to the authentication method, the secondary identity authentication is executed according to the authentication mode corresponding to the user name of the login user of the operating system, and the factor used in the secondary identity authentication process is different from the factor used in the process of authenticating the validity of the one-time login verification information, so that the authentication safety can be further improved;
(5) the invention is realized based on the mobile terminal, so the operation of logging in the user is simple and the carrying is convenient.
Drawings
Fig. 1 is a flowchart of a method for enhancing the login security of a Linux operating system based on a mobile terminal according to a first embodiment of the present invention.
Fig. 2 is a flowchart of a method for enhancing the login security of the Linux operating system based on the mobile terminal according to a second embodiment of the present invention.
Fig. 3 is a flowchart of a method for enhancing the login security of the Linux operating system based on the mobile terminal according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
For the purpose of facilitating understanding of the present invention, the technical terms of the present invention will be explained and explained first:
two-dimensional code (Two-dimensional bar code): the data symbol information is recorded by black and white patterns distributed on a plane (two-dimensional direction) according to a certain rule by using a certain specific geometric figure, and the data symbol information is automatically read by an image input device or a photoelectric scanning device so as to realize the automatic information processing. The concept of "0" and "1" bit stream forming the internal logic basis of computer is used ingeniously in coding, several geometric forms correspondent to binary system are used to represent literal numerical information, and can be automatically read by means of image input equipment or photoelectric scanning equipment so as to implement automatic information processing. It has some commonality of barcode technology: each code system has its specific character set; each character occupies a certain width; has certain checking function and the like. Meanwhile, the method also has the function of automatically identifying information of different rows and processing the graph rotation change points.
Authentication server (Authentication server): the authentication server is responsible for receiving a connection request of a login user, authenticating the legality of the login user, and then returning an authentication result to the login user.
As shown in fig. 1, according to a first embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client terminal, and the mobile terminal, wherein the authentication server is communicatively connected to both the client terminal and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login verification information and an operating system login user name built in the mobile terminal to an authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) The authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include the step of the client performing secondary authentication according to the authentication method corresponding to the login user name of the operating system, and determining whether to allow the login user corresponding to the login user name to log in the operating system according to the result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
As shown in fig. 2, according to a second embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code of a login user on a login interface of the client, wherein the two-dimensional code comprises a login user name of the operating system and a login authentication request message;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
For example, the login User may be a Root User, an Admin User, or a User that logs in to the Linux operating system.
Specifically, the operating system login user name is an operating system login user name for logging in the Linux operating system.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain login authentication request information and an operating system login user name, generates one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sends the one-time login verification information and the operating system login user name to an authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) And the authentication server sends the login user name of the operating system and the successful verification result to the client.
(5) The client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include a step in which the client performs secondary authentication according to an authentication method corresponding to the login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
As shown in fig. 3, according to a third embodiment of the present invention, there is provided a method for enhancing Linux operating system login security based on a mobile terminal, which is applied in an environment of an authentication server, a client and the mobile terminal, wherein the authentication server is communicatively connected to both the client and the mobile terminal, the method includes the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
specifically, the client is installed with a Linux operating system, which may be a Personal Computer (PC), a notebook (Laptop), a Server (Server), or the like.
It should be noted that the above Linux operating systems include Linux international operating systems and Linux domestic operating systems, wherein the Linux international operating systems include, but are not limited to, Ubuntu, Linux, PCLinuxOS, slakwarelinux, genolinux, FreeBSD, CentOS, etc.; the Linux domestic operating system is a domestic operating system which is secondarily developed based on Linux, and includes, but is not limited to, the medium-grade eucheuman (NeoKylin), eucheuman (ubuntukkylin), red-flag Linux (redflag Linux), and the like.
Specifically, the login authentication request message includes a nonce, a client hardware identifier, a Linux operating system identifier of the client, and the like.
(2) The mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
specifically, the mobile terminal may be a terminal having a function of scanning and identifying a two-dimensional code and identification information, including but not limited to a mobile phone, an IPad, and the like.
The identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information (including fingerprint, iris, face, etc.) of the mobile terminal.
In this step, the process of generating the one-time login verification information by using the identity information of the mobile terminal and the login authentication request message may be to perform digital signature operation on the login authentication request message by using a private key of the mobile terminal to generate signature information as the one-time login verification information, or to perform encryption operation on the login authentication request message by using an encryption certificate of the mobile terminal to generate encryption information as the one-time login verification information, or to perform dynamic password operation on the login authentication request message by using a seed key of the mobile terminal to generate a one-time dynamic password as the one-time login verification information, or to perform operation on the login authentication request message by using the biometric information of the login user of the mobile terminal to generate authentication verification information as the one-time login verification information.
(3) The authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
specifically, when the one-time login verification information is signature information, the process of determining whether the one-time login verification information from the mobile terminal is valid in this step is specifically that the authentication server performs validity verification on the signature information, if the one-time login verification information is successful, the one-time login verification information is valid, otherwise, the one-time login verification information is invalid.
When the one-time login verification information is encrypted information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server searches a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server, then the private key is used for decrypting the encrypted information, if the decryption is successful, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is dynamic password information, the process of judging whether the one-time login verification information from the mobile terminal is valid in the step is specifically that the authentication server judges whether the dynamic password is valid, if so, the one-time login verification information is valid, and if not, the one-time login verification information is invalid.
When the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid or not in the step is specifically that the authentication server performs inverse operation on the one-time login verification information, analyzes the biological identification information of the login user of the mobile terminal, compares the biological identification information with the stored biological characteristic identification information of the login user of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, and otherwise, the one-time login verification information is indicated to be invalid.
(4) The authentication server sends the successful verification result and the operating system login user name created when the mobile terminal registers to the authentication server to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
optionally, after the step (4) and before the step (5), the method of the present invention may further include a step in which the client performs secondary authentication according to an authentication method corresponding to the login user name of the operating system, and determines whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
It should be noted that the factors used in the authentication process are different from the factors used in the aforementioned authentication one-time login verification information validity process.
Specifically, the client executes a secondary authentication process according to an authentication mode corresponding to a login user name of the operating system, namely, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM library to obtain the authentication mode of the login user name of the operating system, if the authentication mode is empty, the authentication process is not executed, and a login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to the authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to a login user name to log in the operating system, and if the message passing the authentication of the authentication server is not received, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, otherwise, the login user corresponding to the login user name is refused to log in the operating system.
(6) The authentication server informs the client that the verification fails, and the process is finished.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (9)

1. A method for enhancing the login security of a Linux operating system based on a mobile terminal is applied to the environments of an authentication server, a client and the mobile terminal, wherein the authentication server is in communication connection with both the client and the mobile terminal, and the method is characterized by comprising the following steps:
(1) the client displays a two-dimensional code on a login interface of the client, wherein the two-dimensional code comprises login authentication request information;
(2) the mobile terminal scans the two-dimensional code displayed on the login interface of the client terminal to obtain a login authentication request message, generates one-time login authentication information by using the identity identification information of the mobile terminal and the login authentication request message, and sends the one-time login authentication information to the authentication server;
(3) the authentication server judges whether the one-time login verification information from the mobile terminal is valid, if so, the step (4) is carried out, and if not, the step (6) is carried out;
(4) the authentication server sends the login user name of the operating system and the successful verification result to the client;
(5) the client logs in the operating system by using the operating system according to the successful verification result, and the process is finished;
(6) the authentication server informs the client that the verification fails, and the process is finished.
2. The method for enhancing Linux operating system login security based on the mobile terminal of claim 1, wherein the login authentication request message comprises one or more of a nonce, a client hardware identifier, and a Linux operating system identifier of the client.
3. The method for enhancing the login security of the Linux operating system based on the mobile terminal of claim 1, wherein the identification information of the mobile terminal may be one or more of a private key, an encryption certificate, a seed key, and biometric information of a login user of the mobile terminal.
4. The method for enhancing Linux operating system login security based on the mobile terminal of claim 3, wherein,
when the identity identification information of the mobile terminal is the private key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the private key of the mobile terminal to perform digital signature operation on the login authentication request message to generate signature information as the one-time login verification information;
when the identity identification information of the mobile terminal is the encrypted certificate of the mobile terminal, the identity identification information of the mobile terminal and the login authentication request message are used for generating the one-time login authentication information, and the process is that the encrypted certificate of the mobile terminal is used for carrying out encryption operation on the login authentication request message to generate the encrypted information as the one-time login authentication information;
when the identity identification information of the mobile terminal is the seed key of the mobile terminal, the process of generating the one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request message is to use the seed key of the mobile terminal to perform dynamic password operation on the login authentication request message to generate a one-time dynamic password as the one-time login verification information;
when the identification information of the mobile terminal is the biological identification information of the login user of the mobile terminal, the process of generating the one-time login verification information by using the identification information of the mobile terminal and the login authentication request message is to calculate the login authentication request message by using the biological identification information of the login user of the mobile terminal to generate the authentication information as the one-time login verification information.
5. The method for enhancing Linux operating system login security based on the mobile terminal of claim 4, wherein,
when the one-time login verification information is signature information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, verifying the validity of the signature information by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is encrypted information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, searching a private key which is stored by the authentication server and generated when the mobile terminal registers in the authentication server by using the private key, decrypting the encrypted information by using the private key, if the decryption is successful, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is dynamic password information, judging whether the one-time login verification information from the mobile terminal is valid or not, specifically, judging whether the dynamic password is valid or not by the authentication server, if so, indicating that the one-time login verification information is valid, otherwise, indicating that the one-time login verification information is invalid;
when the one-time login verification information is identification verification information, the process of judging whether the one-time login verification information from the mobile terminal is valid is specifically that the authentication server carries out inverse operation on the one-time login verification information, analyzes the login user biological identification information of the mobile terminal, compares the biological identification information with the stored login user biological characteristic identification information of the mobile terminal, if the comparison is passed, the one-time login verification information is indicated to be valid, otherwise, the one-time login verification information is indicated to be invalid.
6. The method for enhancing Linux operating system login security based on the mobile terminal according to claim 1, wherein the operating system login user name is included in the two-dimensional code of step (1), or is built in the mobile terminal of step (2), or is created by the authentication server when the mobile terminal registers with the authentication server in step (4).
7. The method according to claim 1, further comprising, after the step (4) and before the step (5), the step of executing, by the client, a secondary authentication process according to an authentication method corresponding to the login user name of the operating system, and determining whether to allow the login user corresponding to the login user name to log in the operating system according to a result of the secondary authentication.
8. The method for enhancing the login security of the Linux operating system based on the mobile terminal according to claim 7, wherein the secondary authentication process is executed by the client according to the authentication mode corresponding to the login user name of the operating system, specifically, the client starts a PAM application program of the Linux operating system to call a PAM library, the PAM library searches a configuration file of the PAM application program in a directory of the PAM application program to obtain the authentication mode of the login user name of the operating system, if the authentication mode is null, the authentication process is not executed, and the login user corresponding to the login user name is directly allowed to login the operating system; if the authentication mode is static password authentication, starting a session function by the PAM library to send a message requesting to input a static password to a login interface of the client, verifying whether the static password input by a login user corresponding to a login user name is correct, if so, allowing the login user corresponding to the login user name to log in the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is dynamic password authentication, starting a session function by the PAM library to send a message requesting to input a dynamic password to an authentication server, if the message passing the authentication of the authentication server is received, allowing a login user corresponding to the login user name to log in an operating system, allowing the login user corresponding to the login user name to log in the login user corresponding to the operating system, and otherwise, refusing the login user corresponding to the login user name to log in the operating system; if the authentication mode is short message password authentication, the PAM library starts a session function to send a message requesting to input a short message password to the authentication server, if the message passing the authentication of the authentication server is received, the login user corresponding to the login user name is allowed to log in the operating system, and otherwise, the login user corresponding to the login user name is refused to log in the operating system.
9. A system for enhancing the login security of a Linux operating system based on a mobile terminal is applied to the environments of an authentication server, a client terminal and the mobile terminal, wherein the authentication server is in communication connection with both the client terminal and the mobile terminal, and the system is characterized by comprising:
the system comprises a first module, a second module and a third module, wherein the first module is arranged in a client and is used for displaying a two-dimensional code on a login interface of the client, and the two-dimensional code comprises login authentication request information;
the second module is arranged in the mobile terminal and used for scanning the two-dimensional code displayed on the login interface of the client terminal to acquire login authentication request information, generating one-time login verification information by using the identity identification information of the mobile terminal and the login authentication request information, and sending the one-time login verification information to the authentication server;
the third module is arranged in the authentication server and used for judging whether the one-time login verification information from the mobile terminal is valid or not, if so, switching to the fourth module, and otherwise, switching to the sixth module;
the fourth module is arranged in the authentication server and used for sending the login user name of the operating system and the verification success result to the client;
a fifth module, which is arranged in the client and used for logging in the operating system by using the operating system to log in the user name according to the successful verification result, and the process is finished;
and the sixth module is arranged in the authentication server and used for notifying the client that the verification fails and finishing the process.
CN201910939718.XA 2019-09-30 2019-09-30 Method and system for enhancing login security of Linux operating system based on mobile terminal Pending CN111125668A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910939718.XA CN111125668A (en) 2019-09-30 2019-09-30 Method and system for enhancing login security of Linux operating system based on mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910939718.XA CN111125668A (en) 2019-09-30 2019-09-30 Method and system for enhancing login security of Linux operating system based on mobile terminal

Publications (1)

Publication Number Publication Date
CN111125668A true CN111125668A (en) 2020-05-08

Family

ID=70495365

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910939718.XA Pending CN111125668A (en) 2019-09-30 2019-09-30 Method and system for enhancing login security of Linux operating system based on mobile terminal

Country Status (1)

Country Link
CN (1) CN111125668A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291218A (en) * 2020-10-22 2021-01-29 四川长虹电器股份有限公司 Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm
CN115085968A (en) * 2022-04-29 2022-09-20 麒麟软件有限公司 Login authentication method based on custom tag under Linux

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195932A (en) * 2010-03-05 2011-09-21 北京路模思科技有限公司 Method and system for realizing network identity authentication based on two pieces of isolation equipment
CN103001974A (en) * 2012-12-26 2013-03-27 百度在线网络技术(北京)有限公司 Method, system and device used for controlling login and based on two-dimensional code
CN103001973A (en) * 2012-12-26 2013-03-27 百度在线网络技术(北京)有限公司 Method, system and device used for controlling login and based on two-dimensional code
CN103617531A (en) * 2013-12-16 2014-03-05 信雅达系统工程股份有限公司 Safety payment method and device based on credible two-dimension code
CN103944877A (en) * 2014-03-02 2014-07-23 王恩惠 Method and system for safely logging on bank website based on two-dimension code
CN104378368A (en) * 2014-11-10 2015-02-25 武汉传神信息技术有限公司 Code scanning log-in method and system
CN105897424A (en) * 2016-03-14 2016-08-24 深圳奥联信息安全技术有限公司 Method for enhancing identity authentication
CN105933353A (en) * 2016-07-05 2016-09-07 北京万维星辰科技有限公司 Method and system for realizing secure login
CN106936803A (en) * 2015-12-31 2017-07-07 亿阳安全技术有限公司 Two-dimensional code scanning certification login method and relevant apparatus
CN107277059A (en) * 2017-08-08 2017-10-20 沈阳东青科技有限公司 A kind of one-time password identity identifying method and system based on Quick Response Code
CN107332659A (en) * 2017-05-24 2017-11-07 舒翔 A kind of identity identifying method based on biological characteristic, storage medium and system
CN108259445A (en) * 2016-12-29 2018-07-06 上海格尔软件股份有限公司 MS windows desktops Security Login System and its login method based on smart mobile phone
CN108881222A (en) * 2018-06-15 2018-11-23 郑州信大壹密科技有限公司 Strong identity authentication system and method based on PAM framework
CN108923931A (en) * 2018-06-27 2018-11-30 努比亚技术有限公司 A kind of electronic certificate processing method, equipment and computer readable storage medium
CN109831463A (en) * 2019-03-29 2019-05-31 大连九锁网络有限公司 Intelligent terminal security protection system for operating system login authentication

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195932A (en) * 2010-03-05 2011-09-21 北京路模思科技有限公司 Method and system for realizing network identity authentication based on two pieces of isolation equipment
CN103001974A (en) * 2012-12-26 2013-03-27 百度在线网络技术(北京)有限公司 Method, system and device used for controlling login and based on two-dimensional code
CN103001973A (en) * 2012-12-26 2013-03-27 百度在线网络技术(北京)有限公司 Method, system and device used for controlling login and based on two-dimensional code
CN103617531A (en) * 2013-12-16 2014-03-05 信雅达系统工程股份有限公司 Safety payment method and device based on credible two-dimension code
CN103944877A (en) * 2014-03-02 2014-07-23 王恩惠 Method and system for safely logging on bank website based on two-dimension code
CN104378368A (en) * 2014-11-10 2015-02-25 武汉传神信息技术有限公司 Code scanning log-in method and system
CN106936803A (en) * 2015-12-31 2017-07-07 亿阳安全技术有限公司 Two-dimensional code scanning certification login method and relevant apparatus
CN105897424A (en) * 2016-03-14 2016-08-24 深圳奥联信息安全技术有限公司 Method for enhancing identity authentication
CN105933353A (en) * 2016-07-05 2016-09-07 北京万维星辰科技有限公司 Method and system for realizing secure login
CN108259445A (en) * 2016-12-29 2018-07-06 上海格尔软件股份有限公司 MS windows desktops Security Login System and its login method based on smart mobile phone
CN107332659A (en) * 2017-05-24 2017-11-07 舒翔 A kind of identity identifying method based on biological characteristic, storage medium and system
CN107277059A (en) * 2017-08-08 2017-10-20 沈阳东青科技有限公司 A kind of one-time password identity identifying method and system based on Quick Response Code
CN108881222A (en) * 2018-06-15 2018-11-23 郑州信大壹密科技有限公司 Strong identity authentication system and method based on PAM framework
CN108923931A (en) * 2018-06-27 2018-11-30 努比亚技术有限公司 A kind of electronic certificate processing method, equipment and computer readable storage medium
CN109831463A (en) * 2019-03-29 2019-05-31 大连九锁网络有限公司 Intelligent terminal security protection system for operating system login authentication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邓增涛: "《Red Hat Linux 6.5高级应用教程》", 31 March 2000, 海洋出版社 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291218A (en) * 2020-10-22 2021-01-29 四川长虹电器股份有限公司 Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm
CN112291218B (en) * 2020-10-22 2022-02-01 四川长虹电器股份有限公司 Equipment identity authentication method based on two-dimensional code double fusion encryption algorithm
CN115085968A (en) * 2022-04-29 2022-09-20 麒麟软件有限公司 Login authentication method based on custom tag under Linux
CN115085968B (en) * 2022-04-29 2023-08-04 麒麟软件有限公司 Login authentication method based on custom tag under Linux

Similar Documents

Publication Publication Date Title
KR102493744B1 (en) Security Verification Method Based on Biometric Characteristics, Client Terminal, and Server
CN104065652B (en) A kind of auth method, device, system and relevant device
CN111431719A (en) Mobile terminal password protection module, mobile terminal and password protection method
CN111031539A (en) Method and system for enhancing login security of Windows operating system based on mobile terminal
US20140053251A1 (en) User account recovery
WO2019226115A1 (en) Method and apparatus for user authentication
US11665156B2 (en) Method and system for securely authenticating a user by an identity and access service using a pictorial code and a one-time code
CN104767616A (en) Message processing method, system and related device
CN104767617A (en) Message processing method, system and related device
CN104426659A (en) Dynamic password generating method, authentication method, authentication system and corresponding equipment
CN109496443B (en) Mobile authentication method and system therefor
CN112313983A (en) User authentication using companion device
CN111083100B (en) Method and system for enhancing login security of Linux operating system based on message pushing
CN113641973A (en) Identity authentication method, system and medium
CN111125668A (en) Method and system for enhancing login security of Linux operating system based on mobile terminal
CN111131140B (en) Method and system for enhancing login security of Windows operating system based on message pushing
CN110995654B (en) Terminal temporary authorization method, device and system based on dynamic two-dimensional code
CN115801450B (en) Multi-dimensional joint authentication method and system for time and terminal
CN112364322A (en) Safety verification system and method for instant communication tool
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium
CN114584324B (en) Identity authorization method and system based on block chain
CN111078649A (en) Block chain-based on-cloud file storage method and device and electronic equipment
CN106533685B (en) Identity authentication method, device and system
CN115086090A (en) Network login authentication method and device based on UKey
KR101936941B1 (en) Electronic approval system, method, and program using biometric authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200508