CN114238920A - Operating system login method, operating system login device, electronic equipment, storage medium and program - Google Patents

Operating system login method, operating system login device, electronic equipment, storage medium and program Download PDF

Info

Publication number
CN114238920A
CN114238920A CN202010941067.0A CN202010941067A CN114238920A CN 114238920 A CN114238920 A CN 114238920A CN 202010941067 A CN202010941067 A CN 202010941067A CN 114238920 A CN114238920 A CN 114238920A
Authority
CN
China
Prior art keywords
operating system
user name
ukey
target
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010941067.0A
Other languages
Chinese (zh)
Inventor
彭国洲
孟明浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Qax Technology Group Inc
Secworld Information Technology Beijing Co Ltd
Original Assignee
NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Qax Technology Group Inc
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER, Qax Technology Group Inc, Secworld Information Technology Beijing Co Ltd filed Critical NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER
Priority to CN202010941067.0A priority Critical patent/CN114238920A/en
Publication of CN114238920A publication Critical patent/CN114238920A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Accessory Devices And Overall Control Thereof (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides an operating system login method, an operating system login device, electronic equipment, a storage medium and a program. When the user logs in the operating system of the equipment through the target user name, the target password is verified through the Ukey bound with the target user name, and then the operating system logged in the equipment is controlled. The user name and the Ukey used for logging in the operating system in the equipment adopt a one-to-one corresponding binding mode, and the risk that the operating system is illegally logged in due to the fact that the user name is stolen or the Ukey is stolen is reduced by the one-to-one corresponding binding mode.

Description

Operating system login method, operating system login device, electronic equipment, storage medium and program
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for logging in an operating system, an electronic device, a storage medium, and a program.
Background
With the increasing risk caused by the leakage of the device password of the terminal, the significance of the device security management on enterprises and individuals is more and more important. However, in most cases, the device does not set a login password for the operating system, or the login password is simply and singly verified, for example, the login operating system is verified through a password set by the user. This results in a low security operating system for the terminal device, which is susceptible to unauthorized login.
Disclosure of Invention
The embodiment of the invention provides an operating system login method, an operating system login device, electronic equipment, a storage medium and a program, which are used for solving the problems that the operating system of the existing equipment is low in safety and is easy to be illegally logged in.
To solve the foregoing technical problems, in a first aspect, an embodiment of the present invention provides an operating system login method, including:
acquiring a target user name and a target password input when an operating system in a login device is logged in;
determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique;
inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
Optionally, the determining a target Ukey bound with the target user name from at least one Ukey accessing the device includes:
acquiring a security identifier SID corresponding to the target user name from a registry as a target SID;
and acquiring the Ukey storing the target SID from the at least one Ukey as the target Ukey.
Optionally, after controlling to log in the operating system in the device with the target user name according to the verification result, the method further includes:
after the operating system in the device is successfully logged in by the target user name, if the target Ukey is detected to be removed from the device, controlling the operating system in the device to be in a forbidden state.
Optionally, before the controlling an operating system in the device to be in a disabled state, the method further includes:
judging whether the current login user name is the target user name, if so, switching to forbidding, and if not, determining whether a Ukey bound with the current login user name exists in the Ukeys currently accessed into the equipment;
and if the Ukey which is bound with the currently logged user name exists in the Ukeys which are currently accessed into the equipment, allowing to continuously log in the operating system in the equipment, and if not, switching to forbidding.
Optionally, before determining the target Ukey bound with the target user name from at least one Ukey accessing the device, the method further includes:
acquiring the time of an operating system when the operating system in the equipment is logged in by the target user name at present, and taking the time as the system time during the current login;
judging whether the system time of the target user name during the current login is later than the system time of the target user name during the last login, wherein the system time of the target user name during the last login is the time of operating the system when the target user name is used for logging in the operating system in the equipment last time;
and if the system time of the target user name at the current login is later than the system time at the last login, determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment, otherwise, not allowing the target user name to login the operating system in the equipment.
Optionally, before obtaining the target user name and the target password input when logging in the operating system in the device, the method further includes:
and authorizing at least one administrator Ukey, wherein when different administrator Ukeys are used for logging in the operating system in the equipment, different authorities for managing the operating system logged in the equipment are possessed.
Optionally, before obtaining the target user name and the target password input when logging in the operating system in the device, the method further includes:
when a system administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, binding a user name which is not bound with any Ukey currently and a Ukey which is not bound with any user name currently; and/or the presence of a gas in the gas,
when a security administrator Ukey in the at least one administrator Ukey logs in the operating system in the equipment, setting login conditions for logging in the operating system in the equipment by any user name; the login conditions comprise that when the operating system in the equipment is logged in by any user name, the system time of the login is later than the system time of the login of the last time, and the valid period of the operating system in the equipment is logged in by any user name; and/or the presence of a gas in the gas,
when an auditing administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, querying a log of logging in the operating system in the equipment by any user name; the login log comprises the system time of the last login of the target user name;
the system time when any user name logs in at this time is the time of an operating system when the target user name logs in the operating system in the equipment; the system time when the target user name logs in last time is the time of an operating system when the target user name logs in the operating system in the equipment last time.
In a second aspect, an embodiment of the present invention provides an operating system login apparatus, including:
the acquisition module is used for acquiring a target user name and a target password which are input when an operating system in the login equipment is logged in;
the determining module is used for determining a target Ukey bound with the target user name from at least one Ukey accessed to the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique;
and the control module is used for inputting the target password into the target Ukey, acquiring the verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the operating system login method described above when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the operating system login method described in any one of the above.
In a fifth aspect, an embodiment of the present invention provides a computer program, which when executed by a processor implements the steps of the operating system login method described in any one of the above.
Embodiments of the present invention provide an operating system login method, apparatus, electronic device, storage medium, and program, where each Ukey bound to a user name for logging in an operating system in a device is unique, and is unique to each user name bound to a Ukey for logging in an operating system in the device. When the user logs in the operating system of the equipment through the target user name, the target password is verified through the Ukey bound with the target user name, and then the operating system logged in the equipment is controlled. The user name and the Ukey used for logging in the operating system in the equipment adopt a one-to-one corresponding binding mode, and compared with the condition that one Ukey is bound by a plurality of user names, the risk that the user name is stolen is reduced. Meanwhile, the risk of the Ukey being stolen is reduced relative to the situation that a plurality of Ukeys are bound by one user name. The one-to-one binding mode reduces the risk that the operating system is illegally logged in due to the fact that the user name is stolen or the Ukey is stolen.
Specifically, when a plurality of user names bind to one Ukey, after a password in the Ukey is leaked, if any user name in the plurality of user names is leaked, the operating system of the device may be illegally logged in. When one user name binds a plurality of Ukeys, after the user name is leaked, as long as the password in any Ukey is cracked, the operating system of the equipment can be illegally logged in. It can be seen that, when the operating system of the login device is verified by using the Ukey, there is a great risk that the user name and password are leaked in the binding manner of "one-to-many" or "many-to-one". In the application, a user name and a password of an operating system which logs in a certain device are bound in a one-to-one mode, if the password in the Ukey is leaked, the operating system of the device can be illegally logged in only if the user name which is uniquely bound with the Ukey is leaked, and if the user name is leaked, the operating system of the device can be illegally logged in only if the password in the Ukey which is uniquely bound with the user name is leaked. Therefore, compared with the one-to-many or many-to-one binding mode, the one-to-one binding mode greatly reduces the risk that the user name and the password are simultaneously leaked, and is favorable for reducing the risk that the operating system of the equipment is illegally logged in.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an operating system login method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a process of binding a user name and a Ukey after logging in an operating system of a device through a Ukey of an authorized administrator according to another embodiment of the present invention;
FIG. 3 is a diagram illustrating an operating system authentication process of a login device after a user name and a Ukey are bound according to another embodiment of the present invention;
fig. 4 is a block diagram of an operating system login apparatus according to another embodiment of the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of an operating system login method provided in this embodiment, where the operating system login method is applicable to an operating system in a device. Referring to fig. 1, the operating system login method includes:
step 101: and acquiring a target user name and a target password which are input when the operating system in the login equipment logs in.
The device may be a terminal device, e.g. a computer. The operating system in the device is a system for supporting the operation of the device, for example, a Window operating system.
When the equipment is opened, an interface for inputting a user name and a password is displayed, and a target user name and a target password input by a user are acquired through the interface.
Step 102: determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique.
The device is provided with a plurality of interfaces for accessing Ukey. When multiple Ukeys are accessed into the device, each Ukey can be traversed according to the target user name to determine the Ukey bound with the target user name.
The user name and the Ukey used for logging in the operating system in the equipment are bound in a one-to-one mode, the Ukey bound with the user name can be uniquely determined through the target user name, and the target password is verified through the Ukey. Compared with a one-to-many or many-to-one binding mode, the risk that the passwords in the user name and the Ukey are simultaneously revealed can be reduced.
Specifically, when a plurality of user names bind to one Ukey, after a password in the Ukey is leaked, if any user name in the plurality of user names is leaked, the operating system of the device may be illegally logged in. When one user name binds a plurality of Ukeys, after the user name is leaked, as long as the password in any Ukey is cracked, the operating system of the equipment can be illegally logged in. It can be seen that, when the operating system of the login device is verified by using the Ukey, there is a great risk that the user name and password are leaked in the binding manner of "one-to-many" or "many-to-one". In the application, a user name and a password of an operating system which logs in a certain device are bound in a one-to-one mode, if the password in the Ukey is leaked, the operating system of the device can be illegally logged in only if the user name which is uniquely bound with the Ukey is leaked, and if the user name is leaked, the operating system of the device can be illegally logged in only if the password in the Ukey which is uniquely bound with the user name is leaked. Therefore, compared with the one-to-many or many-to-one binding mode, the one-to-one binding mode greatly reduces the risk that the user name and the password are simultaneously leaked, and is favorable for reducing the risk that the operating system of the equipment is illegally logged in.
In addition, when one user name binds multiple ukes, once the user name has a problem (for example, the user name is forgotten and cannot be found), all the ukes bound to the user name will fail, thereby affecting that multiple holders holding these ukes cannot log in the operating system of the device. When a Ukey is bound to a plurality of user names, if the Ukey is lost or damaged, each user name bound with the Ukey cannot log in an operating system of the equipment. Therefore, the situation that a plurality of users cannot log in the device operating system is very easy to happen in a one-to-many or many-to-one binding mode, and the risk resistance is low. In the one-to-one binding mode of the device and the Ukey adopted in the embodiment, whether the user name or the Ukey has a problem, the login of one user to the device operating system can be influenced, other users cannot be influenced, and the risk resistance is greatly improved.
Step 103: inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
Specifically, the target password is input into the target Ukey, the target Ukey compares the target password with the password stored in the target Ukey, when the target password is the same as the password stored in the target Ukey, a verification result that the target password passes verification is output, otherwise, a verification result that the target password fails verification is input;
and obtaining the verification result, if the verification result is that the verification is passed, allowing the target user name to log in the operating system in the equipment, otherwise, disallowing the target user name to log in the operating system in the equipment, and sending prompt information indicating that the target password is not successfully verified.
The embodiment provides an operating system login method, where each Ukey bound to a user name for logging in an operating system in a device is unique, and each Ukey bound to a user name for logging in an operating system in the device is unique. When the user logs in the operating system of the equipment through the target user name, the target password is verified through the Ukey bound with the target user name, and then the operating system logged in the equipment is controlled. The user name and the Ukey used for logging in the operating system in the equipment adopt a one-to-one corresponding binding mode, and compared with the condition that one Ukey is bound by a plurality of user names, the risk that the user name is stolen is reduced. Meanwhile, the risk of the Ukey being stolen is reduced relative to the situation that a plurality of Ukeys are bound by one user name. The one-to-one binding mode reduces the risk that the operating system is illegally logged in due to the fact that the user name is stolen or the Ukey is stolen.
Further, on the basis of the foregoing embodiment, the determining, from at least one Ukey accessing the device, a target Ukey bound to the target username includes:
acquiring a security identifier SID corresponding to the target user name from a registry as a target SID;
and acquiring the Ukey storing the target SID from the at least one Ukey as the target Ukey.
It should be noted that the same user name may be set between the operating systems of different devices (for example, the user name a is included in both the operating system of the login device a and the user name of the operating system of the login device B). In order to avoid the intersection of the user names between the operating systems of different devices (for example, the user name a of the operating system of the login device B is used to log in the operating system of the device a), the security identifier SID generated by the operating system for the target user name is used to query the Ukey bound to the target user name (the user name a of the operating system of the login device B is different from the SID corresponding to the user name a of the operating system of the login device a).
The SID is a unique identifier generated by the operating system for each user name, and SIDs corresponding to the same user name in different devices are also different. Therefore, when the SID corresponding to the target user name is stored in the Ukey binding the target user name, whether the Ukey is bound with the target user name can be distinguished through the SID.
In this embodiment, the SID corresponding to the target user name in the registry is queried, and since the SID can uniquely identify each user name (for example, the same user name in different devices), the SID corresponding to the target user name and the SID stored in each Ukey can be located to the Ukey bound to the target user name, thereby avoiding cross abuse between the same user names logging in different devices, and improving the security of logging in the device operating system.
Further, on the basis of the foregoing embodiments, after controlling to log in the operating system in the device with the target user name according to the verification result, the method further includes:
after the operating system in the device is successfully logged in by the target user name, if the target Ukey is detected to be removed from the device, controlling the operating system in the device to be in a forbidden state.
In order to improve the security, after the target Ukey bound by the target user name is detected to be removed from the device, the operating system in the device is controlled to be in a forbidden state, so that the phenomenon that the operating system of the device continues to execute relevant operations after the target Ukey is removed is avoided, and the security of the operating system is improved.
Further, on the basis of the foregoing embodiments, before the controlling an operating system in the device to be in a disabled state, the method further includes:
judging whether the current login user name is the target user name, if so, switching to forbidding, and if not, determining whether a Ukey bound with the current login user name exists in the Ukeys currently accessed into the equipment;
and if the Ukey which is bound with the currently logged user name exists in the Ukeys which are currently accessed into the equipment, allowing to continuously log in the operating system in the equipment, and if not, switching to forbidding.
It can be understood that after a plurality of user names successfully log in the operating system in the device, the user name currently logged in the operating system in the device can be switched through the account switching function. For example, after the target Ukey is removed from the device, if the current login username is the target username, the operating system in the device is in a disabled state, but after the account switching function is switched to another successfully logged-in username, if it is detected that the Ukey bound to the successfully logged-in username exists (i.e. is not removed), the operating system in the device is allowed to continue to be logged in with the successfully logged-in username, so that the operating system in the device is in an available state under the successfully logged-in username.
In this embodiment, when it is detected that the target Ukey is removed from the device, the operating system of the device is in a disabled state when the logged-in username is the target user name, so that it is avoided that a user corresponding to a non-target user name operates the operating system of the device after the target Ukey is removed. Meanwhile, when the user name for logging in the operating system is switched from the target user name to another user name for successfully logging in, if the Ukey bound by the successful user name is accessed to the equipment, the operating system is enabled to be available under the user name for successfully logging in, on one hand, the operation of an abnormal logging user on the operating system is avoided, the safety of the operating system is improved, on the other hand, the use of other users for normally logging in on the operating system is not interfered, and the availability of the operating system is ensured.
Further, on the basis of the foregoing embodiments, before determining the target Ukey bound to the target user name from at least one Ukey accessing the device, the method further includes:
acquiring the time of an operating system when the operating system in the equipment is logged in by the target user name at present, and taking the time as the system time during the current login;
judging whether the system time of the target user name during the current login is later than the system time of the target user name during the last login, wherein the system time of the target user name during the last login is the time of operating the system when the target user name is used for logging in the operating system in the equipment last time;
and if the system time of the target user name at the current login is later than the system time at the last login, determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment, otherwise, not allowing the target user name to login the operating system in the equipment.
Wherein, can also include:
judging whether the system time of the target user name during the current login is within the set valid period of the operating system in the device logged in by the target user name, if so, determining the target Ukey bound with the target user name from at least one Ukey accessed into the device, and if not, not allowing the operating system in the device to be logged in by the target user name.
The system time of the target user name at the time of the current login is later than the system time of the target user name at the time of the last login, and means that the system time of the target user name at the time of the current login is closer to the future than the system time of the target user name at the time of the last login in the time axis from the past to the future.
The purpose of the judgment of whether the system time of the target user name at the current login is later than the system time of the target user name at the last login is to prevent the user corresponding to the target user name from continuing to use the operating system beyond the valid period of the operating system by modifying the time of the operating system.
For example, when the expiration date of the time period for allowing the user to log in the operating system in the device with the target user name is near, the user may modify the time of the operating system to an earlier time, for example, the expiration date is 20191012, the current time is 20191101, and the user may modify the time of the operating system to 20191001 so that the current login to the operating system is within the expiration date.
In this embodiment, by determining whether the system time of the target user name at the current login is later than the system time of the target user name at the last login, the illegal operation of avoiding the validity period by modifying the operating system time is avoided, and the security of the operating system of the login device is improved.
Further, on the basis of the foregoing embodiments, before acquiring the target user name and the target password input when logging in to the operating system in the device, the method further includes:
and authorizing at least one administrator Ukey, wherein when different administrator Ukeys are used for logging in the operating system in the equipment, different authorities for managing the operating system logged in the equipment are possessed.
The at least one administrator Ukey may include a system administrator Ukey for binding the user name and the Ukey, a security administrator Ukey for setting login conditions, an audit administrator Ukey for querying information such as logs, and the like.
Each administrator Ukey can be authorized by an authorization tool, or a UKey authorization certificate can be applied, and then certificate information is imported into each administrator Ukey to realize authorization of the administrator Ukeys.
In this embodiment, different authorities for managing the operating system logged in the device are allocated to different administrator ukees, and compared with the case where all authorities for managing the operating system logged in the device are allocated to the same administrator Ukey, the authority of each administrator Ukey holder is weakened, and the security is improved.
Further, on the basis of the foregoing embodiments, before acquiring the target user name and the target password input when logging in to the operating system in the device, the method further includes:
when a system administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, binding a user name which is not bound with any Ukey currently and a Ukey which is not bound with any user name currently; and/or the presence of a gas in the gas,
when a security administrator Ukey in the at least one administrator Ukey logs in the operating system in the equipment, setting login conditions for logging in the operating system in the equipment by any user name; the login conditions comprise that when the operating system in the equipment is logged in by any user name, the system time of the login is later than the system time of the login of the last time, and the valid period of the operating system in the equipment is logged in by any user name; and/or the presence of a gas in the gas,
when an auditing administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, querying a log of logging in the operating system in the equipment by any user name; the login log comprises the system time of the last login of the target user name;
the system time when any user name logs in at this time is the time of an operating system when the target user name logs in the operating system in the equipment; the system time when the target user name logs in last time is the time of an operating system when the target user name logs in the operating system in the equipment last time.
Further, the binding the user name which is not currently bound with any one Ukey and the Ukey which is not currently bound with any one user name includes:
acquiring hardware key information of any Ukey from the Ukeys accessed into the equipment, judging whether any Ukey is bound with any user name or not according to a preset corresponding relation and the hardware key information of any Ukey, if so, continuously acquiring the hardware key information of any Ukey which is not traversed from the Ukeys accessed into the equipment, otherwise, not binding any user name by any Ukey currently, and binding the user name which is not bound with any Ukey currently and any Ukey;
the hardware key information of the Ukey is information for identifying the Ukey. For example, the hardware key information of a certain Ukey is a hardware identification code which uniquely identifies the Ukey.
For example, after the operating system is opened, the operating system is selected to log in with the identity of an administrator, and a system administrator Ukey, a security administrator Ukey and an audit administrator Ukey are accessed in the equipment. And then inputting a user name and a password corresponding to the Ukey of the system administrator, and after the user name and the password pass the verification of the Ukey of the system administrator, selecting the Ukey not bound with any user name and the user name not bound with any Ukey through an interface to bind the Ukey and the Ukey. And inputting a user name and a password corresponding to the Ukey of the security administrator, and after the user name and the password pass the verification of the Ukey of the security administrator, setting login conditions such as an expiration date and the like for each user name successfully bound with the Ukey through an interface. And inputting a user name and a password corresponding to the Ukey of the audit administrator, and after the user name and the password pass the verification of the Ukey of the audit administrator, reading a log of the operating system of the equipment logged by each successfully bound user name.
It should be noted that the log may include only the system time of the last login, or may include the system time of each user name for each login. When the operating system is logged in by the target user name, the system time of the last login logged in by the target user name can be obtained through the login log, and then the system time of the current login logged in by the target user name is compared with the system time of the current login logged in by the target user name, so that whether the operating system of the current equipment logged in by the target user name meets the login conditions set during the login by a security administrator Ukey or not is determined.
In this embodiment, one-to-one binding of the user name and the Ukey, setting of login conditions, and query of log information are realized by three administrators Ukey (a system administrator Ukey, a security administrator Ukey, and an audit administrator Ukey), and secure login of the operating system of the device by the user name is ensured.
Fig. 2 is a schematic diagram of a process of binding a user name and a Ukey after an operating system of a device logs in through a Ukey by an authorized administrator according to this embodiment, and fig. 3 is a schematic diagram of an authentication process of an operating system of a device logging in after the user name and the Ukey are bound according to this embodiment, with reference to fig. 2 and fig. 3, the process of binding and logging in includes the following contents:
(1) authorizing three administrators Ukey or applying for Ukey authorization certificate by using authorization tool, and then importing certificate information into three administrators Ukey
(2) And inserting an authorized system administrator Ukey, and installing and registering a secure login module. The account number is traversed and the password is modified during installation.
(3) Inserting an authorized system administrator Ukey and logging in a secure login configuration interface using a system administrator account number (sysadmin)
(4) And inserting an unauthorized ordinary Ukey, and then selecting a local account to bind. If the user is bound after the Ukey is inserted, the user is prompted to firstly remove the binding and then bind. If the selected user binds the Ukey, the user XXX is prompted to be bound with the Ukey, and the binding is performed after the user XXX is requested to be released. (one user can only bind one Ukey, and one Ukey can only bind one user)
(5) And restarting the computer, inserting the UKEY bound with the user after entering a login interface, inputting a user name and a PIN (personal identification number) code (namely the input password), confirming to perform PIN code authentication, and normally logging in the system by using the changed password after the authentication is successful.
According to the embodiment, the hardware key information, the binding relationship between the local system account and the key and the PIN code in the key are verified when the operating system is logged in, and it is guaranteed that only a person with authority can log in the security mode.
Fig. 4 is a block diagram of the operating system login apparatus provided in this embodiment, and referring to fig. 4, the operating system login apparatus includes an obtaining module 401, a determining module 402, and a control module 403, wherein,
an obtaining module 401, configured to obtain a target user name and a target password that are input when an operating system in a login device logs in;
a determining module 402, configured to determine, from at least one Ukey accessing the device, a target Ukey bound to the target user name; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique;
a control module 403, configured to input the target password into the target Ukey, obtain a verification result of the target Ukey on the target password, and control whether to allow the target user to log in the operating system in the device with the target user name according to the verification result.
The operating system login device provided in this embodiment is suitable for the operating system login management method provided in each of the above embodiments, and will not be described herein again.
The present embodiment provides an operating system login apparatus, where each Ukey bound to a user name for logging in an operating system in a device is unique, and is unique to each user name bound to a Ukey for logging in an operating system in the device. When the user logs in the operating system of the equipment through the target user name, the target password is verified through the Ukey bound with the target user name, and then the operating system logged in the equipment is controlled. The user name and the Ukey used for logging in the operating system in the equipment adopt a one-to-one corresponding binding mode, and compared with the condition that one Ukey is bound by a plurality of user names, the risk that the user name is stolen is reduced. Meanwhile, the risk of the Ukey being stolen is reduced relative to the situation that a plurality of Ukeys are bound by one user name. The one-to-one binding mode reduces the risk that the operating system is illegally logged in due to the fact that the user name is stolen or the Ukey is stolen.
Specifically, when a plurality of user names bind to one Ukey, after a password in the Ukey is leaked, if any user name in the plurality of user names is leaked, the operating system of the device may be illegally logged in. When one user name binds a plurality of Ukeys, after the user name is leaked, as long as the password in any Ukey is cracked, the operating system of the equipment can be illegally logged in. It can be seen that, when the operating system of the login device is verified by using the Ukey, there is a great risk that the user name and password are leaked in the binding manner of "one-to-many" or "many-to-one". In the application, a user name and a password of an operating system which logs in a certain device are bound in a one-to-one mode, if the password in the Ukey is leaked, the operating system of the device can be illegally logged in only if the user name which is uniquely bound with the Ukey is leaked, and if the user name is leaked, the operating system of the device can be illegally logged in only if the password in the Ukey which is uniquely bound with the user name is leaked. Therefore, compared with the one-to-many or many-to-one binding mode, the one-to-one binding mode greatly reduces the risk that the user name and the password are simultaneously leaked, and is favorable for reducing the risk that the operating system of the equipment is illegally logged in.
Optionally, the determining a target Ukey bound with the target user name from at least one Ukey accessing the device includes:
acquiring a security identifier SID corresponding to the target user name from a registry as a target SID;
and acquiring the Ukey storing the target SID from the at least one Ukey as the target Ukey.
Optionally, after controlling to log in the operating system in the device with the target user name according to the verification result, the method further includes:
after the operating system in the device is successfully logged in by the target user name, if the target Ukey is detected to be removed from the device, controlling the operating system in the device to be in a forbidden state.
Optionally, before the controlling an operating system in the device to be in a disabled state, the method further includes:
judging whether the current login user name is the target user name, if so, switching to forbidding, and if not, determining whether a Ukey bound with the current login user name exists in the Ukeys currently accessed into the equipment;
and if the Ukey which is bound with the currently logged user name exists in the Ukeys which are currently accessed into the equipment, allowing to continuously log in the operating system in the equipment, and if not, switching to forbidding.
Optionally, before determining the target Ukey bound with the target user name from at least one Ukey accessing the device, the method further includes:
acquiring the time of an operating system when the operating system in the equipment is logged in by the target user name at present, and taking the time as the system time during the current login;
judging whether the system time of the target user name during the current login is later than the system time of the target user name during the last login, wherein the system time of the target user name during the last login is the time of operating the system when the target user name is used for logging in the operating system in the equipment last time;
and if the system time of the target user name at the current login is later than the system time at the last login, determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment, otherwise, not allowing the target user name to login the operating system in the equipment.
Optionally, before obtaining the target user name and the target password input when logging in the operating system in the device, the method further includes:
and authorizing at least one administrator Ukey, wherein when different administrator Ukeys are used for logging in the operating system in the equipment, different authorities for managing the operating system logged in the equipment are possessed.
Optionally, before obtaining the target user name and the target password input when logging in the operating system in the device, the method further includes:
when a system administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, binding a user name which is not bound with any Ukey currently and a Ukey which is not bound with any user name currently; and/or the presence of a gas in the gas,
when a security administrator Ukey in the at least one administrator Ukey logs in the operating system in the equipment, setting login conditions for logging in the operating system in the equipment by any user name; the login conditions comprise that when the operating system in the equipment is logged in by any user name, the system time of the login is later than the system time of the login of the last time, and the valid period of the operating system in the equipment is logged in by any user name; and/or the presence of a gas in the gas,
when an auditing administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, querying a log of logging in the operating system in the equipment by any user name; the login log comprises the system time of the last login of the target user name;
the system time when any user name logs in at this time is the time of an operating system when the target user name logs in the operating system in the equipment; the system time when the target user name logs in last time is the time of an operating system when the target user name logs in the operating system in the equipment last time.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor)501, a communication Interface (Communications Interface)502, a memory (memory)503, and a communication bus 504, wherein the processor 501, the communication Interface 502, and the memory 503 are configured to communicate with each other via the communication bus 504. The processor 501 may call logic instructions in the memory 503 to perform the following method: acquiring a target user name and a target password input when an operating system in a login device is logged in; determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique; inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
In addition, the logic instructions in the memory 503 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Further, an embodiment of the present invention discloses a computer program product, the computer program product comprising a computer program stored on a non-transitory readable storage medium, the computer program comprising program instructions, which when executed by a computer, the computer is capable of performing the method provided by the above-mentioned method embodiments, for example, including: acquiring a target user name and a target password input when an operating system in a login device is logged in; determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique; inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
In another aspect, an embodiment of the present invention further provides a non-transitory readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, for example, the method includes: acquiring a target user name and a target password input when an operating system in a login device is logged in; determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique; inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding, the above technical solutions may be embodied in the form of a software product, which may be stored in a readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (11)

1. An operating system login method, comprising:
acquiring a target user name and a target password input when an operating system in a login device is logged in;
determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique;
inputting the target password into the target Ukey, acquiring a verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
2. The operating system login method according to claim 1, wherein the determining a target Ukey bound to the target user name from at least one Ukey accessing the device comprises:
acquiring a security identifier SID corresponding to the target user name from a registry as a target SID;
and acquiring the Ukey storing the target SID from the at least one Ukey as the target Ukey.
3. The operating system login method according to claim 1, wherein after controlling to log in the operating system in the device with the target user name according to the verification result, the method further comprises:
after the operating system in the device is successfully logged in by the target user name, if the target Ukey is detected to be removed from the device, controlling the operating system in the device to be in a forbidden state.
4. The operating system login method according to claim 3, further comprising, before the controlling of the operating system in the device to be in the disabled state:
judging whether the current login user name is the target user name, if so, switching to forbidding, and if not, determining whether a Ukey bound with the current login user name exists in the Ukeys currently accessed into the equipment;
and if the Ukey which is bound with the currently logged user name exists in the Ukeys which are currently accessed into the equipment, allowing to continuously log in the operating system in the equipment, and if not, switching to forbidding.
5. The operating system login method according to claim 1, wherein before determining the target Ukey bound to the target user name from the at least one Ukey accessing the device, the method further comprises:
acquiring the time of an operating system when the operating system in the equipment is logged in by the target user name at present, and taking the time as the system time during the current login;
judging whether the system time of the target user name during the current login is later than the system time of the target user name during the last login, wherein the system time of the target user name during the last login is the time of operating the system when the target user name is used for logging in the operating system in the equipment last time;
and if the system time of the target user name at the current login is later than the system time at the last login, determining a target Ukey bound with the target user name from at least one Ukey accessed into the equipment, otherwise, not allowing the target user name to login the operating system in the equipment.
6. The operating system login method according to claim 1, wherein before acquiring a target user name and a target password input when the operating system in the login device is accessed, the method further comprises:
and authorizing at least one administrator Ukey, wherein when different administrator Ukeys are used for logging in the operating system in the equipment, different authorities for managing the operating system logged in the equipment are possessed.
7. The operating system login method according to claim 6, wherein before acquiring the target user name and the target password input when the operating system in the login device is accessed, the method further comprises:
when a system administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, binding a user name which is not bound with any Ukey currently and a Ukey which is not bound with any user name currently; and/or the presence of a gas in the gas,
when a security administrator Ukey in the at least one administrator Ukey logs in the operating system in the equipment, setting login conditions for logging in the operating system in the equipment by any user name; the login conditions comprise that when the operating system in the equipment is logged in by any user name, the system time of the login is later than the system time of the login of the last time, and the valid period of the operating system in the equipment is logged in by any user name; and/or the presence of a gas in the gas,
when an auditing administrator Ukey in the at least one administrator Ukey logs in an operating system in the equipment, querying a log of logging in the operating system in the equipment by any user name; the login log comprises the system time of the last login of the target user name;
the system time when any user name logs in at this time is the time of an operating system when the target user name logs in the operating system in the equipment; the system time when the target user name logs in last time is the time of an operating system when the target user name logs in the operating system in the equipment last time.
8. An operating system login apparatus, comprising:
the acquisition module is used for acquiring a target user name and a target password which are input when an operating system in the login equipment is logged in;
the determining module is used for determining a target Ukey bound with the target user name from at least one Ukey accessed to the equipment; the Ukey bound with the user name used for logging in the operating system in the equipment is unique, and the Ukey bound with the user name used for logging in the operating system in the equipment is unique;
and the control module is used for inputting the target password into the target Ukey, acquiring the verification result of the target Ukey on the target password, and controlling whether to allow the target user name to log in an operating system in the equipment according to the verification result.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the operating system login method according to any one of claims 1 to 7 are implemented when the program is executed by the processor.
10. A non-transitory readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the operating system login method according to any one of claims 1 to 7.
11. A computer program, characterized in that the computer program realizes the steps of the operating system login method according to any one of claims 1 to 7 when executed by a processor.
CN202010941067.0A 2020-09-09 2020-09-09 Operating system login method, operating system login device, electronic equipment, storage medium and program Pending CN114238920A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010941067.0A CN114238920A (en) 2020-09-09 2020-09-09 Operating system login method, operating system login device, electronic equipment, storage medium and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010941067.0A CN114238920A (en) 2020-09-09 2020-09-09 Operating system login method, operating system login device, electronic equipment, storage medium and program

Publications (1)

Publication Number Publication Date
CN114238920A true CN114238920A (en) 2022-03-25

Family

ID=80742637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010941067.0A Pending CN114238920A (en) 2020-09-09 2020-09-09 Operating system login method, operating system login device, electronic equipment, storage medium and program

Country Status (1)

Country Link
CN (1) CN114238920A (en)

Similar Documents

Publication Publication Date Title
CN109787988B (en) Identity strengthening authentication and authorization method and device
CN111131242B (en) Authority control method, device and system
CN107172054B (en) Authority authentication method, device and system based on CAS
JP2686218B2 (en) Alias detection method on computer system, distributed computer system and method of operating the same, and distributed computer system performing alias detection
CN108684041B (en) System and method for login authentication
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
CN109756446B (en) Access method and system for vehicle-mounted equipment
CN103095659B (en) Account logon method and system in a kind of the Internet
US20080148046A1 (en) Real-Time Checking of Online Digital Certificates
KR101451359B1 (en) User account recovery
KR20020060075A (en) Method and apparatus for protecting file system based on digital signature certificate
CN108259502A (en) For obtaining the identification method of interface access rights, server-side and storage medium
CN106161348B (en) Single sign-on method, system and terminal
JP2009519557A (en) Offline authentication method for devices with limited resources
CN112000951A (en) Access method, device, system, electronic equipment and storage medium
CN111935095A (en) Source code leakage monitoring method and device and computer storage medium
CN112685718A (en) Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol
CN114021103A (en) Single sign-on method, device, terminal and storage medium based on identity authentication
CN111399980A (en) Safety authentication method, device and system for container organizer
CN111783047A (en) RPA (resilient packet Access) automatic safety protection method and device
CN114238920A (en) Operating system login method, operating system login device, electronic equipment, storage medium and program
CN109981611A (en) A kind of safety defense method and device of multi-platform account
CN115086042A (en) User identity authentication method, user identity authentication system and computer storage medium
CN114520724A (en) Signature verification method of open API (application program interface)
CN108259424A (en) The authority checking method of terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Country or region after: China

Address after: 100097 No. 202, 203, 205, 206, 207, 208, 2nd floor, block D, No. 51, Kunming Hunan Road, Haidian District, Beijing

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Applicant after: QAX Technology Group Inc.

Applicant after: NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER

Address before: 100097 No. 202, 203, 205, 206, 207, 208, 2nd floor, block D, No. 51, Kunming Hunan Road, Haidian District, Beijing

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

Country or region before: China

Applicant before: QAX Technology Group Inc.

Applicant before: NATIONAL COMPUTER VIRUS EMERGENCY RESPONSE CENTER

CB02 Change of applicant information