CN102402655A - Dynamic password setting method for virtual machine - Google Patents

Dynamic password setting method for virtual machine Download PDF

Info

Publication number
CN102402655A
CN102402655A CN 201010284830 CN201010284830A CN102402655A CN 102402655 A CN102402655 A CN 102402655A CN 201010284830 CN201010284830 CN 201010284830 CN 201010284830 A CN201010284830 A CN 201010284830A CN 102402655 A CN102402655 A CN 102402655A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
password
virtual machine
dynamic
dynamic password
user
Prior art date
Application number
CN 201010284830
Other languages
Chinese (zh)
Inventor
兰雨晴
夏颖
姚远
宋潇豫
徐舫
胡娜
赵敬锋
马立克
Original Assignee
上海中标软件有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses a dynamic password setting method for a virtual machine, which comprises the following steps that: a dynamic random password generation strategy is adopted to generate a virtual machine password, and then the password is reset in a safe way; and after the new password is set, the new password is notified to a user by an automatic password notification strategy. The dynamic random password generation strategy means that a random number is introduced into the generation process of the dynamic password, and meanwhile, a hashing algorithm is also introduced into the generation process of the password to further improve the randomness of the password, thereby the safety of the password is improved. The automatic password notification strategy means that after the password of the virtual machine is reset, the new password is notified to the user in the safe way. In the method, the password of the virtual machine is periodically reset by a periodic password reset strategy of the virtual machine so as to ensure the safety of the password of the virtual machine under the situation that the virtual machine is not restarted for a long time.

Description

一种虚拟机动态密码设置方法 A kind of virtual machine setting method of dynamic password

技术领域 FIELD

[0001] 本发明涉及云计算中虚拟机管理领域与云计算领域,具体是一种虚拟机动态密码设置方法。 [0001] The present invention relates to the field of virtual machine management in the cloud and the cloud, in particular a dynamic password setting method of the virtual machine.

背景技术 Background technique

[0002] 当前,虚拟机的根用户(Linux的根用户为root用户,Windows的根用户为Administrator用户)的密码设置采用的是静态方法。 [0002] Currently, the root user virtual machine (Linux root user is root, root for the Windows Administrator user) password settings using a static method. 所谓的静态方法是指,在安装新的虚拟机操作系统时,静态设置根用户的密码,在以后的每次登录中,使用静态设置的密码来登录,且若用户更改密码,需要手动来更改密码(与当前物理机设置密码的方式类似)。 The so-called static method means that, when installing a new virtual machine operating system, static set the root user's password, the password in future every time you log in, use static settings to log on, and if the user changes the password, you need to manually change code (similar to a physical machine provided current password mode).

[0003] 由此可见,现有虚拟机静态密码设置方法存在以下问题: [0003] Thus there is a problem, the existing virtual machine static password settings:

[0004] 1)安全性与可用性完全对立 [0004] 1) security and availability diametrically opposed

[0005] 一方面,很多用户喜欢设置易于记忆的密码,即用户在构造密码时通常采用一些策略来使其密码易于记忆,常用的策略有如下几种: [0005] On the one hand, many users prefer to set up easy-to-remember passwords that a user password is usually used in the construction of a number of strategies to make it easy to remember passwords, common strategies are summarized as follows:

[0006] (1)采用一些特殊的英文单词或拼音; [0006] (1) use some special alphabet or English word;

[0007] (2)采用一些和用户个人资料相关的数字,如用户生日,家人生日,各种证件号码等; [0007] (2) the use of numbers and personal information related to users, such as birthdays, family birthday, various documents and other numbers;

[0008] (3)利用键盘布局来设置密码,如采用键盘上相连的键位来设置密码,如“asdfgh,,,“qwel23,,,“ 123456” 等。 [0008] (3) to set a password using the keyboard layout, such as to set the password using the keys on the keyboard are connected, such as "asdfgh ,,," qwel23 ,,, "123456" and the like.

[0009] 以上几种密码设置方法的问题是安全性不够,易于破解;对于策略(1)和策略(3) 的破解方法如下:采用暴力破解,黑客一般采用密码词典来破解,即搜集网络上用户常用的密码和英文词典来生成密码词典,一般的词典至少是M量级的,囊括了各种常见的密码,如果用户想要设置好记安全性又好的密码,可能性非常低;对于策略O)的破解方法如下:收集用户的个人资料,然后根据其各人资料来破解,在当今网络社会,收集某人的个人资料, 已经变得非常容易。 [0009] Several more issues password setting method is safe enough, easy to crack; for strategy (1) and policies (3) of the crack method as follows: using brute force, commonly used by hackers to crack the password dictionary that collect on the Web commonly used passwords and user English dictionary to generate a password dictionary, general dictionary of the order of at least M, encompasses a variety of common password, if a user wants to set a good password and security in mind, the possibility is very low; for strategy O) crack follows: collect user's personal information, and to break every one according to his information, in today's networked society, a person's personal data collection, has become very easy.

[0010] 另一方面,用户也可以设置很复杂的密码,如:超长的一个句子,或者是超长的随机数,或者是各种符号(数字、字母或标点符号等)的组合。 [0010] Alternatively, the user may be provided very complex passwords, such as: a long sentence, or a combination of long random numbers, or symbols (numbers, letters or punctuation, etc.). 这些复杂的密码的安全性一般都比较高,但是缺点也很明显,即可用性很差,用户很难记忆。 The safety of these complex passwords generally are high, but the disadvantages are also obvious, that is, poor usability, user difficult to remember. 如果采用其他介质来保存,这又涉及到了介质物理安全的问题。 If you use other media to keep them, which in turn related to the physical safety of media issues.

[0011] 2)密码有效期的问题 [0011] 2) password expiration problem

[0012] 用户大都喜欢使用一个密码很长时间,而密码的安全性是随着使用时间的增长而不断变弱的。 [0012] Most users prefer to use a password for a long time, and password security, with the growth in use of time and continue to weaken. 较好的安全策略是,用户应该定期地修改密码,如每月重新设置一次,每天重新设置一次密码等。 Good security policy is that users should change passwords regularly, such as once a month to reset, reset the password once a day and so on. 密码的有效期越短,安全性越高,然而对于静态密码设置来说,过于频繁地重置密码,给用户带来的用户体验很差。 The shorter the password is valid, the higher the security, but for a static password, the password reset too often, giving users the user experience is poor.

发明内容 SUMMARY

[0013] 为解决上述技术问题,本发明的主要目的在于提高密码的安全性,解决密码易于破解的问题,发明人欲将动态密码应用于虚拟机之中以达此目的; [0013] In order to solve the above problems, the main object of the present invention to improve the security of the password, the password is easy to solve the problem of cracking, the inventor wishing OTP applied in a virtual machine to achieve this purpose;

[0014] 其次是提供一种定期修改密码的方法; [0014] Next is provided a method of regularly change the password;

[0015] 以及借助将系统随机生成的用户名和密码通知给用户以提供一种避免记忆复杂的密码的方法。 [0015] The system and by means of randomly generated user name and password to notify the user to provide a password to avoid memorizing complex method.

[0016] 基于上述目标,本发明提出了一种虚拟机动态密码设置方法,用来解决静态密码设置方法的安全性不够的问题,同时保证了系统的可用性。 [0016] Based on the above objectives, the present invention provides a virtual machine dynamic password setting method is used to solve the security setting method of static password problem of insufficient, while ensuring the availability of the system.

[0017] 本发明提供的一种虚拟机动态密码设置及实现方法,包括以下步骤: [0017] The present invention provides a dynamic password setting, and a virtual machine implemented method, comprising the steps of:

[0018] 1)设置动态密码生成策略; [0018] 1) set the dynamic password generation policy;

[0019] 于虚拟机中生成动态密码,并设置为登陆密码; [0019] generating a dynamic password to the virtual machine, and set the login password;

[0020] 2)设置动态密码通知策略; [0020] 2) Set the dynamic password notification policy;

[0021] 实现将动态密码自动通知给宿主机或用户。 [0021] The dynamic password implemented to automatically notify the user or host.

[0022] 借助上述策略的设置,实现了于虚拟机上使用动态密码代替现有静态的密码的目的,提高了密码的安全性,解决了密码易于破解的问题。 [0022] With the above policy is set to achieve the purpose of using dynamic password on a virtual machine instead of the existing static password, to improve the security of the password, the password is easy to crack solve the problem.

[0023] 为了进一步提高效果,步骤1)中的密码的生成策略可包含使用散列算法动态随机密码生成策略。 [0023] In order to further enhance the effect, step 1) the password generation strategy generation strategy may comprise a dynamic random password using the hashing algorithm.

[0024] 其中:[0025] 散列算法动态随机密码生成策略可包括以下步骤:[0026] (1)设置自定义字符串a;[0027] (2)获取当前日期,保存为字符串b ;[0028] (3)生成随机数,保存为字符串c ;[0029] (4)连接字符串abc为一个字符串d ;[0030] (5)使用shal算法对字符串d取摘要,得到字符串e ;[0031] (6)截取e的后若干位作为新的动态密码E ;[0032] (7)为根用户设置新的动态密码E。 [0024] wherein: [0025] a hash algorithm generating a dynamic random password policy may comprise the steps of: [0026] (1) Set the custom string a; [0027] (2) Get current date, stored as a string B; [0028] (3) generates a random number, stored as a string c; [0029] (4) a connection string for the string abc d; [0030] (5) used in algorithm summary character string shal d, to give characters after [0031] (6) a number of bits of e, taken as a new dynamic password E;; string e [0032] (7) set a new password for dynamic root E. [0033] 另外,步骤幻的设置动态密码通知策略可包括以下步骤:[0034] (1)将用户名和密码E输出到串口中;[0035] (2)在宿主机中获取虚拟机的串口输出;[0036] (3)在宿主机中解析用户名和密码E ;[0037] (4)宿主机将用户名和密码发送给用户。 [0033] In addition, a dynamic password step magic notification policy may comprise the steps of: [0034] (1) outputs the user name and password E through the serial port; [0035] (2) Get the serial output of the virtual machine in the host machine ; [0036] (3) parsing the username and password in the host machine E; [0037] (4) the host sends the user name and password to the user. [0038] 步骤幻的设置动态密码通知策略中也可采用邮件或短信的方式将动态密码发送给用户。 [0038] Step Illusion dynamic password provided notification policy or SMS messages may also be employed in a manner to send the dynamic password to the user. [0039] 还包括步骤幻设置虚拟机动态密码设置程序自动执行、设置虚拟机动态密码设 [0039] further comprising the step of setting a virtual machine phantom dynamic password setup performed automatically set the virtual machine provided OTP

置程序周期性执行步骤和/或根据需要修改虚拟机动态密码生成、设置和通知策略及其周期性执行的周期的步骤。 The configuration program steps performed periodically and / or modify the dynamic password generated virtual machine, and set the period of the periodic notification policy, and executed as required steps.

[0040] 相对于静态密码设置方法,本发明的动态密码设置方法具有以下特点: [0040] with respect to the static password setting method, the dynamic password setting method of the present invention has the following characteristics:

[0041] 1)本发明可在虚拟机启动时(或者按使用者要求更新)自动地重新设置虚拟机密码,并在启动(更新)完成后把新密码通知用户; [0041] 1) of the present invention, a virtual machine can be started (or update the user's requirements) automatically reset the virtual machine code, and start (updated) after the completion of the new user password notification;

[0042] 2)本发明动态设置的密码是动态的且可为随机生成的密码,不具有规律性,很难破解,具有较高的安全性;[0043] 3)本发明支持虚拟机动态密码周期性重新设置功能,解决了密码有效期问题,进一步提高了密码安全性; [0042] 2) of the present invention is provided a dynamic password is dynamic and may be randomly generated passwords, does not have regularity, it is difficult to break, with high safety; [0043] 3) The present invention supports virtual machine OTP periodically reset function, password expiration solve problems, to further improve the password security;

[0044] 4)本发明包含密码自动通知功能,用户不需要记忆动态生成地随机密码,提高了用户体验。 [0044] 4) The present invention includes cryptographic automatic notification feature, the user does not need to remember a password and randomly generated dynamically, improving the user experience.

[0045] 本发明尤其适合于确保以下两种应用场景下的虚拟机密码的安全性: [0045] The present invention is particularly suitable for ensuring the security of a virtual machine code of the following two scenarios:

[0046] 1)企业使用虚拟机为内部提供服务,在这种应该场景下虚拟机的每次运行周期都很长,可能为长达数月或整年,静态密码设置会随着使用时间的延长安全性不断降低;本发明采用的周期性动态密码设置策略可以解决此问题,从而提高此种应用场景下的虚拟机密码安全性; [0046] 1) internal corporate use of virtual machines to provide services, each run cycle in such a scenario should be under the virtual machine is very long, as time may be set for up to several months or a whole year, static passwords extended security continue to decrease; cyclical dynamic password policies adopted by the invention can solve this problem, thereby improving virtual machine password security in this scenario;

[0047] 2)云计算应用场景,企业提供虚拟机给用户,以运行用户的服务,在这种应用场景下,虚拟机的密码可能是由用户自行设置,用户很少会遵循密码安全设置策略,从而设置不安全的密码;本发明采用的动态密码设置方法可以在不影响可用性的前提下设置安全性高的密码,从而提高此种应用场景下的虚拟机密码安全性。 [0047] 2) cloud computing scenarios, the company offers a virtual machine to the user to run the users of the service. In this scenario, the virtual machine's password may be set by the user, the user will rarely follow password security policy , thereby setting insecure passwords; dynamic password setting method employed in the present invention can be provided without affecting the availability of their strong password, thereby improving security of the virtual machine code in this application scenario.

[0048] 本发明在保证了可用性的前提下,可以在很大程度上提高虚拟机密码的安全性,具有较高的实用价值和商业价值。 [0048] The present invention ensures the availability under the premise, can improve the security of a virtual machine code to a large extent, have a high practical value and commercial value.

附图说明 BRIEF DESCRIPTION

[0049] 图1为本发明虚拟机动态密码设置方法执行的流程图; [0049] FIG. 1 is a flowchart setting method for performing virtual machine OTP present invention;

[0050] 图2为本发明虚拟机动态密码生成策略实现的流程图; [0050] FIG. 2 flowchart dynamic password policy virtual machine implementation of the generation of the present invention;

[0051] 图3为本发明虚拟机动态密码通知策略实现的流程图。 [0051] FIG. 3 flowchart OTP VM notification policy implementation of the present invention.

具体实施方式 detailed description

[0052] 为让本发明的上述及其他目的、特征及优点能更明显易懂,下文特举本发明的优选实施例,并配合附图,作详细说明如下: [0052] In order to make the aforementioned and other objects, features and advantages of the present invention can be more fully understood by reading the following preferred embodiment of the present invention, and the accompanying drawings, described in detail below:

[0053] 为了解决静态密码的所述缺陷,发明人拟采用动态密码来解决这些技术问题,虽然动态密码生成技术在其他领域已经有了应用。 [0053] In order to solve the defect static password, the inventors proposed a dynamic password to solve these technical problems, although the dynamic password generation technology has been applied in other fields. 其中与本发明面向领域最接近的为物理机(物理机操作系统)领域就有相关应用,然而,虚拟机应用环境相对于物理机应用环境来说,具有一些新的特征,使得物理机采用的动态密码设置方法不适合虚拟机应用。 Field of the invention for which the closest to the physical machine (physical operating system) applications related art there is, however, the virtual machine with respect to the application environment for a physical machine environment applications, with some new features, such that the physical machine dynamic password setting method is not suitable for virtual machine applications.

[0054] 其中主要区别在于: [0054] The main difference is that wherein:

[0055] 1、用户和虚拟机之间一般都是物理不可达的 [0055] 1, between the user and the virtual machines are generally physically unreachable

[0056] 常用于物理机中的动态密码设置方法中的用于保存(获取)动态密码的智能卡等设备需要连接到物理机上才能使用,而在虚拟机环境中,虚拟机非直接可达的,这种物理机上通过智能卡等保存(获取)密码的方式不适合虚拟机环境,需要建立新的密码通知策略以方便用户获得密码。 [0056] commonly used in the physical machine dynamic password setting method for saving (acquisition) dynamic password smart cards and other devices need to be connected to a physical machine to use, but in a virtual machine environment, the virtual machine not directly reachable, save (get) password on a smart card, etc. this approach is not suitable physical machine virtual machine environment, we need to create a new password policy to notify the user get the password.

[0057] 2、虚拟机一般是通过事先创建好的虚拟机映像来启动的 [0057] 2, the virtual machine usually through pre-created virtual machine images to boot

[0058] 虚拟机的安装方式与物理机的安装方式不同。 [0058] Different virtual machine installation and the installation of a physical machine. 安装物理机时,其安装界面由安装程序来提供,在安装时都会提供静态密码设置界面,用户可以设置自己的密码;虚拟机的安装是通过直接启动安装映像副本来使用的,其中安装映像(在企业环境中会有大量的用户使用同一安装映像)是一个已经安装好的系统,已经设置了初始密码(大量用户的虚拟机初始密码相同),如果用户没有修改初始密码,则其密码安全性不能保证。 When installing a physical machine, its installation interface provided by the installation program, will provide static password settings interface during installation, users can set their own password; install the virtual machine is directly start the installation image copies to be used, in which the installation image ( in the enterprise environment will have a large number of users using the same installation image) is an already installed system, has set an initial password (the same number of users of a virtual machine initial password), if the user does not change the initial password, their password security Not guaranteed. 因此虚拟机映像需要采用动态密码设置方法,并且要设置为开机重置密码,以保证用户密码的安全性。 Thus the virtual machine image requires dynamic password setting method, and to reset the password set to boot, in order to ensure the safety of the user password.

[0059] 3、相对于物理机来说,虚拟机一般都是独占的 [0059] 3, relative to the physical machine, the virtual machine generally exclusive

[0060] 用户使用物理机资源时,一般是一台物理机多个用户共享使用,物理机上的超级用户具有更高的权限,可以帮助用户设置并维护动态密码设置策略。 [0060] When users use the physical machine resources, typically a single physical machine multiple users to share the use of super user on the physical machine has a higher authority, can help users set up and maintain a dynamic password policy settings. 用户使用虚拟机资源时,一般是一台物理机上有多台虚拟机,每台虚拟机都是由某个用户独占的,而且虚拟机与物理机之间也是隔离的,因此没有一个超级用户来为虚拟机用户来设置并维护安全策略, 同时,并不是所有用户都是领域专家,因此需要为每个虚拟机设置一个安全易用地虚拟机动态密码设置方法,来保证用户密码的安全性。 When the user uses a virtual machine resource, usually on a single physical machine multiple virtual machines, each virtual machine is exclusively by a user, and between virtual machines and physical machines are also isolated, so not a super user to set up and maintain security policies for virtual machine users, at the same time, not all users are experts in the field, it is necessary to set up a virtual machine for each virtual machine setting method of dynamic password to a secure, easy to guarantee the security of the user's password.

[0061] 本发明提出的虚拟机动态密码设置方法解决了虚拟机环境中的一些特有的问题。 [0061] Virtual Machine dynamic password setting method proposed by the invention solves some issues specific to the virtual machine environment.

[0062] 于本实施例中,以rhel5. 4为宿主机,并使用其自带的kvm为虚拟机管理程序,可分别安装ubimtu9. 04和WindOWS2003操作系统作为本发明方案实施的目标虚拟机,并分别在ubuntu9. 04和WindOWS2003上实现了本发明的虚拟机的动态密码的设置,其具体包括虚拟机密码动态生成策略、密码通知策略及密码动态生成策略通知策略的开机启动和动态密码周期性设置策略的实现。 [0062] In the present embodiment, to rhel5. 4 is the host, and uses its own kvm as hypervisor, a virtual machine can be respectively mounted target ubimtu9. 04 and WindOWS2003 operating system as the embodiment of the present invention, respectively on ubuntu9. 04 and set to achieve a dynamic password WindOWS2003 virtual machine according to the present invention, which specifically includes the boot policy and notification policy, dynamic password periodically virtual machine dynamically generated password policies, password notification policy dynamically generated and password set of implementation strategies. 其中,密码动态生成策略优选为采用动态随机密码生成策略,所述的动态随机密码生成策略是指在将随机数引入了一个动态密码的生成过程,同时在密码的生成过程中还可引入散列算法来进一步提高密码的随机性,从而进一步提高密码的安全性。 Wherein the dynamic password generation strategy generation strategy is preferably dynamic random password, the dynamic random password generation strategy is introduced in a random number generation process is a dynamic password, the password generation process while the hash may also be introduced algorithm to further enhance the randomness of the password, so as to further improve the security of the password.

[0063] 于本实施例中本发明提出的虚拟机动态密码设置方法的执行流程如下: [0063] in the present virtual machine dynamic password setting method proposed in the embodiment of the present invention, the process is performed as follows:

[0064] 1)安装虚拟机(步骤10) [0064] 1) mounted virtual machine (step 10)

[0065] 于本实施例中是利用宿主机所带的KVM安装的ubuntu9. 04和windows2003。 [0065] In the present embodiment, using ubuntu9. 04 and brought windows2003 host KVM installed. 其中,安装ubuntu9. 04是采用eucalyptus做好的ubuntu9. 04的映像文件,包括一个kernel、 一个ramdisk、一个文件系统映像。 Wherein the mounting ubuntu9. 04 is the use of eucalyptus do well ubuntu9. 04 of image files, including a kernel, a ramdisk, a file system image. 在此做好的镜像中,已经安装了ssh server和perl。 In doing this the mirror, has a ssh server and perl installation.

[0066] 2)设置动态密码生成策略(步骤11) [0066] 2) generating a dynamic password policy set (step 11)

[0067] 在此策略中,主要是设置实现于虚拟机中生成一安全的动态密码,并设置为登陆密码。 [0067] In this strategy, mainly to set the virtual machine to achieve generated in a secure dynamic password, and the password to log in.

[0068] 在设计动态密码生成策略时,一般需要综合考虑动态密码的安全性和易用性的问题。 [0068] In the design of dynamic password generation strategy, the general need to consider security issues and ease of use of dynamic password. 由于动态密码不需要用户记忆,因此可以较多地考虑安全性的问题,而易用性问题可以较少考虑。 Due to the dynamic password does not require user memory, so it can be more to consider security issues, and usability issues may be less consideration. 动态密码不能太短,太短则安全性不能保证,一般至少要8位以上;同时也不能太长,太长则会给用户输入带来麻烦,一般情况下不要超过16位,即动态密码最好在8-16 位之间。 Dynamic password can not be too short, too short can not guarantee the security, generally at least eight more; but also can not be too long then the user input will bring trouble, not more than 16 under normal circumstances, that is the most dynamic password Fortunately, between 8-16 bits. 动态密码的字符集不能太简单,如不能只是数字,或只是小写字母,较好的字符集 OTP character sets can not be too simple, if not just numbers, or just lowercase letters, good character sets

为“数字+字母(大小写)+标点符号(_ ......&*() !)等”。 "Digital + letters (capitalization) + punctuation (_ ...... & * ()!) And so on." 动态密码不能有规 Dynamic password can not have rules

律性,即不能带有特定的意思,最好为随机生成。 Law, i.e. not having a specific meaning, it is preferably randomly generated.

[0069] 为了提高效果,于本实施例中,本发明在将随机数引入了动态密码的生成过程,即采用动态随机密码生成策略,同时在密码的生成过程中还引入了散列算法来进一步提高密码的随机性,从而提高密码的安全性。 [0069] In order to improve the effect, in the present embodiment, the present invention introduces the random number generation process dynamic password, i.e., dynamic random password generation strategies, while in the process of generating passwords also introduced a hashing algorithm to further increase the randomness of the password, thereby enhancing the security of the password.

[0070] 在实现动态密码生成策略时,可以采用各种编程语言,如C、Java, shell脚本、 perl、python等。 [0070] When implementing dynamic password generation strategy, you can use a variety of programming languages ​​such as C, Java, shell scripts, perl, python and so on. 不过为了保证动态密码生成策略难以被破解,建议使用C,并在编译完成后,并使用(strip命令)消除可执行文件的符号信息。 However, in order to ensure the dynamic password generation strategy is difficult to crack, it is recommended to use C, and after the compilation is complete, and use the (strip command) to eliminate symbol information executable file. [0071] 参见图2,本发明的方法于本实施例中的动态密码生成策略可具体包括以下步骤: [0071] Referring to Figure 2, the method of the present invention, the present embodiment for generating a dynamic password policy embodiment may specifically include the following steps:

[0072] (1)设置自定义字符串a,如,Cloud Manager (步骤111); [0072] (1) Set custom string a, such as, Cloud Manager (step 111);

[0073] (2)获取当前日期,保存为字符串b(步骤112); [0073] (2) Get current date, stored as a string B (step 112);

[0074] (3)生成随机数,保存为字符串c(步骤113); [0074] (3) generates a random number string C is stored (step 113);

[0075] (4)连接字符串abc为一个字符串d (步骤114); [0075] (4) connected to a string abc string D (step 114);

[0076] (5)使用shal算法对字符串d取摘要,得到字符串e (步骤115); [0076] (5) using the algorithm of the string d was shal summary, to obtain the string e (step 115);

[0077] (6)截取e的后若干位作为新的动态密码E (步骤116),于本实施例中选为12位(一般建议采用8-12位); After [0077] (6) a number of bits of e, taken as the new dynamic code E (step 116), the present embodiment preferably 12 (typically recommended 8-12);

[0078] (7)为根用户设置新的动态密码E(步骤117)。 [0078] (7) set a new dynamic code E (step 117) to the root user.

[0079] 以上为采用散列算法的动态随机密码生成策略,亦可以采用其它的动态密码生成方法。 [0079] The above is a dynamic random password using the hashing algorithm to generate policy, also other methods may be used to generate dynamic password.

[0080] 由于动态密码相对于静态密码的最大区别在于如何解决将密码通知给用户的问题,为了确保用户的顺利登陆,因而有必要设计一个安全有效的动态密码通知策略。 [0080] Due to the dynamic password to the maximum difference between static passwords is how to solve the problem will notify the user password, in order to ensure a smooth landing users, it is necessary to design a safe and effective dynamic password notification policy.

[0081] 3)设置动态密码通知策略(步骤12) [0081] 3) Set the dynamic password notification policy (Step 12)

[0082] 在设计动态密码通知策略时,首先要解决的问题是如何将动态密码通知给宿主机或用户。 [0082] In the design of dynamic password notification policy, we must first solve the problem is how to inform the dynamic password to the host or user. 具体应用于虚拟机时可采取如下方法:如果虚拟机可以访问网络,可以将动态密码通过邮件方式发送给用户。 Specific can take the following approach when applied to the virtual machine: If the virtual machine can access the network, dynamic password can be sent to users by email. 如果虚拟机不能访问网络,则可以将密码打印到串口,输出到宿主机,这样密码的安全性就完全依赖于宿主机的安全性,当然并不限于该两种方法,本领域技术人员亦可以采用其它手段进行通知。 If the virtual machine can not access the network, the password can be printed to the serial output to the host, this password security is totally dependent on the security of the host, of course, not limited to the two methods, one skilled in the art also can the use of other means of notification.

[0083] 如果采用邮件或短信的方式,则动态密码通知策略的实现比较简单,只需要将密码发送到目标邮件地址或手机等终端即可; [0083] If e-mail or text message, the dynamic password notification implementation strategy is relatively simple, only need to send the password to the destination mail address or mobile phone and other terminal can;

[0084] 如果没有网络,则可将密码发送到串口,此方法借助宿主机的帮助简便的实现了动态密码的传送。 [0084] If there is no network, you can send the password to the serial port, with the help of this method the host of easy transmission to achieve a dynamic password.

[0085] 参见附图3,本发明的方法于本实施例中的一动态密码通知策略具体可包括以下步骤: [0085] Referring to Figure 3, the method of the present invention is a dynamic password notification policy in the specific embodiment according to the present embodiment may include the steps of:

[0086] (1)将生成的用户名和密码E输出到串口中(步骤121),如:在ubuntu9.04下串口输出到ttySO,在windows2003下串口输出到COMl ; [0086] (1) user name and password generated E output to the serial port (step 121), such as: at ubuntu9.04 to ttySo serial output, the serial output at windows2003 to the COMl;

[0087] (2)在宿主机中获取虚拟机的串口输出(ttySO或C0M1)(步骤122); [0087] (2) Get the serial output of the virtual machine (or ttySo C0M1) (step 122) in the host machine;

[0088] (3)在宿主机中解析用户名和密码E(步骤123); [0088] (3) resolved in the host user name and password E (step 123);

[0089] (4)通过宿主机将用户名和密码发送给用户(步骤124)。 [0089] (4) will be sent by the host user name and password to the user (step 124).

[0090] 至此完成了本实施例的虚拟机密码的动态生成及使用实现方法,为了确保上述策略的实施以及可周期性或不定期的实施重新设置功能,以解决密码有效期问题,进一步提高密码安全性,本实施例还包括以下步骤。 [0090] This completes the dynamic generation method and a virtual machine code that implement the present embodiment, in order to ensure the implementation and embodiments described above may be periodically or irregularly policy reset function, a password is valid to solve the problem, to further improve the password security resistance, the present embodiment further includes the following steps.

[0091] 4)设置虚拟机动态密码设置程序自动执行(步骤13) [0091] 4) Set virtual machine automatically performs dynamic password (step 13)

[0092] 首先实现开机启动,以使每次启动自动更换密码; [0092] First implemented boot, so that each start automatically change the password;

[0093] 在ubuntu9. 04下,可通过将虚拟机动态密码设置程序加入到rc. local文件中来设置虚拟机动态密码设置程序开机启动; . [0093] In ubuntu9 04, by the virtual machine to a dynamic password setup added rc local file provided to the virtual machine boot dynamic password setup.;

[0094] 在windOWS2003下,可通过在组策略中设置虚拟机动态密码设置程序自动执行,来实现虚拟机动态密码设置程序开机启动。 [0094] In windOWS2003, by setting a virtual machine dynamic password setup in Group Policy is automatically executed to implement virtual machine dynamic password setup boot.

[0095] 5)设置虚拟机动态密码设置程序周期性执行(步骤14) [0095] 5) set the virtual machine program periodically performs dynamic password (step 14)

[0096] 其次,由于一般的情况下(如:提供Web服务的虚拟机),虚拟机的每次运行周期都很长,可能为长达数月或整年,静态密码设置会随着使用时间的延长安全性不断降低。 [0096] Secondly, because under normal circumstances (such as: Web Services provides virtual machines), each virtual machine operating cycle is very long, it may be set up with the use of time up to several months or year-round, static passwords the extended security is decreasing. 在虚拟机长期运行的情况下,为解决密码的安全性随着使用时间的增长而不断变弱的问题, 可设定虚拟机动态密码设置程序周期性执行。 In the case of long-running virtual machine, to solve the problem of password security with the growth in use of time and constantly weakened, the virtual machine can be set to periodically perform dynamic password setup.

[0097] 在ubuntu9. 04下可通过设置corntab-e命令来设置虚拟机动态密码设置程序的周期性执行; . [0097] In ubuntu9 04 may be provided periodically executes a virtual machine program provided by the dynamic password setting command corntab-e;

[0098] 在windOWS2003下通可过设置任务计划程序来设置虚拟机动态密码设置程序的周期性执行。 [0098] In windOWS2003 can pass through the set Task Scheduler to set up a dynamic password periodically perform virtual machine setup program.

[0099] 以上这几个步骤(步骤10-14) —般都是在虚拟机安装阶段完成的工作。 [0099] This above steps (steps 10-14) - as is done in the installation phase of the virtual machine.

[0100] 6)重启虚拟机(步骤15),这时就会自动执行密码动态生成策略,以生成并设置新的密码,并将新的密码通知宿主机或用户。 [0100] 6) restart the virtual machine (step 15), then it will automatically perform a dynamic password generation strategy to generate and set a new password, the new password and notifies the host or user.

[0101] 在本实施例中,在虚拟机启动过程中会自动执行虚拟机动态密码设置程序来重新设置虚拟机密码,并将用户名和新密码输出到串口中,宿主机rhel5. 4会获取串口输出,分析用户名和密码,最后将用户名和新的密码发送给用户,其通知方法可采用现有的安全方法,例如邮件,加密数据库等方式。 [0101] In the present embodiment, performed automatically in a virtual machine startup virtual machine dynamic password setup to reset the virtual machine password, the user name and the new password is output to the serial port, the host rhel5. 4 and accessories port output, analyze user name and password, the user name and finally the new password to the user, notifying method can be a conventional security methods, such as mail, database encryption mode.

[0102] 在本实施例中,为了简便起见,用户名采用系统默认名,ubimtu9.04的用户名为root, Windows2003的用户名为administrator,在某一次启时我们获得的ubuntu9. 04密码为860a^43、WindoWs2003密码为lgcv9vil ;我们可以看到生成的密码都是随机的,具有良好的安全性。 [0102] In this embodiment, for simplicity, the user name using the default name, ubimtu9.04 user name root, Windows2003 user named administrator, ubuntu9. 04 when a password once we get started as 860a ^ 43, WindoWs2003 password lgcv9vil; we can see the generated passwords are random, with good security.

[0103] 7)在虚拟机运行过程中获得的用户名和密码登录虚拟机,根据需要修改虚拟机动态密码生成、设置和通知策略及其周期性执行的周期(步骤16) [0103] 7) obtained in the process of the virtual machine running the user name and password in the virtual machine, the virtual machine needs to be modified in accordance with the dynamic password generation, and notification policy setting and the period of the periodic execution (step 16)

[0104] 在虚拟机运行阶段,用户可以使用获取的密码通过本地或者远程登录到系统中, 并修改动态密码设置策略以及密码通知策略,而且可以手动执行动态密码生成策略,生成并设置新的密码,并将动态生成的密码通知宿主机或用户。 [0104] In the operational phase of the virtual machine, the user can log into the system via local or remote password to obtain and modify the dynamic password to set policies and password notification policy, and can perform a manual dynamic password generation strategy, generate and set a new password and dynamically generated or host user password notification.

[0105] 对于长期运行的虚拟机(如:提供Web服务的虚拟机),用户可以设定动态密码的自动设置时间,如“每天重置密码,或每周重置密码”等等。 [0105] For long-running virtual machine (such as: Web services provide a virtual machine), the user can set the time automatically set the dynamic passwords such as "password reset daily, weekly or reset password" and so on.

[0106] 本实施例仅以ubuntu9. 04和windows2003系统的虚拟机为例说明虚拟机动态密码设置的过程,事实上本发明适用于任何系统的虚拟机,其中,最典型的应用场景是Linux 和Windows系统的虚拟机。 [0106] The present embodiment only ubuntu9. Windows2003 virtual machine system 04 and an example of the virtual machine during dynamic password provided, the present invention is in fact applicable to any system in a virtual machine, which is the most typical application scenarios and Linux Windows virtual machine system. 以上是以新安装的虚拟机为例进行说明,可以理解的是,本发明也可于已经安装好的虚拟机上实施,这时可以以原静态密码登入虚拟系统后进行进一步操作,这一过程本领域技术人员均可理解,在此不予赘述。 Is installed above a new virtual machine will be described as an example, it is understood that the present invention may also be in a virtual machine has been installed on the embodiment, the case can be further manipulated into a virtual system to the original static password, the process skilled in the art can understand, not repeated herein.

[0107] 以上所述者,仅为说明本发明的优选实施方式,而非限制本发明的范围,任何本领域技术人员,在不脱离本发明的精神和范围内,当可作些许的更动与润饰,即凡依本发明所做的均等变化与修饰,应为本发明专利范围所涵盖。 [0107] The above are merely preferred embodiments described embodiment of the present invention, not to limit the scope of the present invention, anyone skilled in the art, without departing from the spirit and scope of the present invention, various omissions, substitutions can be made to and variations, all under this invention, i.e., modifications and alterations made, this patent should be encompassed by the scope of the invention.

Claims (8)

  1. 1. 一种虚拟机动态密码设置方法,其特征在于,包括以下步骤:1)设置动态密码生成策略;于虚拟机中生成动态密码,并设置为登陆密码;2)设置动态密码通知策略;实现将动态密码自动通知给宿主机或用户。 A virtual machine dynamic password setting method, characterized by comprising the following steps: 1) setting a dynamic password generation policy; generating a dynamic password to the virtual machine, and set the login password; 2) is provided OTP notification policy; implemented the dynamic password is automatically notified to the user or host.
  2. 2.如权利要求1所述虚拟机动态密码设置方法,其特征在于:步骤1)中的密码的生成策略包含使用散列算法动态随机密码生成策略。 2. The method of setting dynamic password virtual machine of claim 1, wherein: step 1) the password generation strategy comprises using a hashing algorithm to generate policy dynamic random password.
  3. 3.如权利要求2所述虚拟机动态密码设置方法,其特征在于:散列算法动态随机密码生成策略包括以下步骤:(1)设置自定义字符串a;(2)获取当前日期,保存为字符串b ;(3)生成随机数,保存为字符串c ;(4)连接字符串abc为一个字符串d ;(5)使用shal算法对字符串d取摘要,得到字符串e ;(6)截取e的后若干位作为新的动态密码E ;(7)为根用户设置新的动态密码E。 3. A virtual machine dynamic password setting method of claim 2, wherein: a dynamic random password generation hash algorithm strategy comprising the steps of: (1) A set custom strings; (2) Get current date, save for the string b; (3) generates a random number, stored as a string c; (4) a connection string for the string abc d; (. 5) using the algorithm of the string d was shal summary, to obtain the string e; (6 ) a plurality of bits taken as a new e OTP E; (7) set a new password for dynamic root E.
  4. 4.如权利要求1、2、3所述虚拟机动态密码设置方法,其特征在于:步骤2)的设置动态密码通知策略包括以下步骤:(1)将用户名和密码E输出到串口中;(2)在宿主机中获取虚拟机的串口输出;(3)在宿主机中解析用户名和密码E ;(4)宿主机将用户名和密码发送给用户。 4. The method of setting the virtual machine the dynamic password as claimed in claim 2,3, wherein: the step 2) is provided a dynamic password notification policy comprises the following steps: (1) user name and password output to the serial port E; ( 2) Get the serial output in the host virtual machine; (3) resolved the username and password in the host E; and (4) host sends the user name and password to the user.
  5. 5.如权利要求1、2、3所述虚拟机动态密码设置方法,其特征在于:步骤2)的设置动态密码通知策略中是采用邮件或短信的方式将动态密码发送给用户。 5. The method of setting the virtual machine the dynamic password as claimed in claim 2,3, wherein: the step 2) is provided in a dynamic password policy notification by mail or text message to the user to send the dynamic password.
  6. 6.如权利要求4所述虚拟机动态密码设置方法,其特征在于:还包括步骤幻设置虚拟机动态密码设置程序自动执行。 Virtual machine the dynamic password setting method as claimed in claim 4, characterized in that: further comprising the step of setting a virtual machine phantom dynamic password setup automatically.
  7. 7.如权利要求4所述虚拟机动态密码设置方法,其特征在于:还包括设置虚拟机动态密码设置程序周期性执行步骤; 7. The virtual machine dynamic password setting method according to claim 4, characterized in that: a virtual machine further comprises periodically performing dynamic password setup step;
  8. 8.如权利要求4所述虚拟机动态密码设置方法,其特征在于:还包括根据需要修改虚拟机动态密码生成、设置和通知策略及其周期性执行的周期的步骤。 8. VM dynamic password setting method according to claim 4, characterized in that: further comprising a virtual machine dynamically modified as desired password generation, and notification policy setting step cycle performed periodically.
CN 201010284830 2010-09-17 2010-09-17 Dynamic password setting method for virtual machine CN102402655A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010284830 CN102402655A (en) 2010-09-17 2010-09-17 Dynamic password setting method for virtual machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010284830 CN102402655A (en) 2010-09-17 2010-09-17 Dynamic password setting method for virtual machine

Publications (1)

Publication Number Publication Date
CN102402655A true true CN102402655A (en) 2012-04-04

Family

ID=45884853

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010284830 CN102402655A (en) 2010-09-17 2010-09-17 Dynamic password setting method for virtual machine

Country Status (1)

Country Link
CN (1) CN102402655A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821091A (en) * 2012-06-28 2012-12-12 用友软件股份有限公司 Control device and control method of virtual machine
CN103677858A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Method, system and device for managing virtual machine software in cloud environment
CN103870748A (en) * 2012-12-17 2014-06-18 华为技术有限公司 Method and device for safety processing of virtual machine
CN104426667A (en) * 2013-09-06 2015-03-18 镇江精英软件科技有限公司 Method for safer management for user passwords of software systems
CN104426668A (en) * 2013-09-06 2015-03-18 镇江精英软件科技有限公司 Method for securely using specific module of software system
CN104424431A (en) * 2013-08-30 2015-03-18 腾讯科技(深圳)有限公司 Method and device for resetting virtual machine user login password

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150989A1 (en) * 2007-12-07 2009-06-11 Pistolstar, Inc. User authentication
CN101459513A (en) * 2007-12-10 2009-06-17 联想(北京)有限公司 Computer and transmitting method of security information for authentication
CN201467167U (en) * 2009-08-07 2010-05-12 薛明 Password encoder and password protection system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090150989A1 (en) * 2007-12-07 2009-06-11 Pistolstar, Inc. User authentication
CN101459513A (en) * 2007-12-10 2009-06-17 联想(北京)有限公司 Computer and transmitting method of security information for authentication
CN201467167U (en) * 2009-08-07 2010-05-12 薛明 Password encoder and password protection system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821091A (en) * 2012-06-28 2012-12-12 用友软件股份有限公司 Control device and control method of virtual machine
CN103677858A (en) * 2012-08-30 2014-03-26 中兴通讯股份有限公司 Method, system and device for managing virtual machine software in cloud environment
CN103870748A (en) * 2012-12-17 2014-06-18 华为技术有限公司 Method and device for safety processing of virtual machine
CN104424431A (en) * 2013-08-30 2015-03-18 腾讯科技(深圳)有限公司 Method and device for resetting virtual machine user login password
CN104426667A (en) * 2013-09-06 2015-03-18 镇江精英软件科技有限公司 Method for safer management for user passwords of software systems
CN104426668A (en) * 2013-09-06 2015-03-18 镇江精英软件科技有限公司 Method for securely using specific module of software system

Similar Documents

Publication Publication Date Title
US20070014416A1 (en) System and method for protecting against dictionary attacks on password-protected TPM keys
US20060259960A1 (en) Server, method and program product for management of password policy information
US20090172793A1 (en) Systems and methods for delegating access to online accounts
US7966278B1 (en) Method for determining the health impact of an application based on information obtained from like-profiled computing systems using clustering
US20100146589A1 (en) System and method to secure a computer system by selective control of write access to a data storage medium
US20110047621A1 (en) System and method for detection of non-compliant software installation
US20130117805A1 (en) Techniques to apply and share remote policies on mobile devices
US20080126439A1 (en) Change verification in a configuration management database
US20080127355A1 (en) Isolation Environment-Based Information Access
US8302193B1 (en) Methods and systems for scanning files for malware
US20120254602A1 (en) Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
US8281410B1 (en) Methods and systems for providing resource-access information
US20070157028A1 (en) Hashing method and system
US20030236975A1 (en) System and method for improved electronic security credentials
US20050262576A1 (en) Systems and methods for excluding user specified applications
US8201224B1 (en) Systems and methods for temporarily adjusting control settings on computing devices
US20110099609A1 (en) Isolation and presentation of untrusted data
US7900058B2 (en) Methods and arrangements for remote communications with a trusted platform module
JP2005327233A (en) Computer system
CN101051323A (en) Character input method, input method system and method for updating word stock
US20130191924A1 (en) Approaches for Protecting Sensitive Data Within a Guest Operating System
US20080092216A1 (en) Authentication password storage method and generation method, user authentication method, and computer
US20060085838A1 (en) Method and system for merging security policies
US20070169204A1 (en) System and method for dynamic security access
US8060734B1 (en) Systems and methods for providing recommendations to improve boot performance based on community data

Legal Events

Date Code Title Description
C06 Publication
C41 Transfer of patent application or patent right or utility model
ASS Succession or assignment of patent right

Owner name: CHINA STANDARD SOFTWARE CO., LTD.

Free format text: FORMER OWNER: SHANGHAI ZHONGBIAO SOFTWARE CO. LTD.

Effective date: 20120305

C10 Entry into substantive examination
C12 Rejection of a patent application after its publication