密码策略
https://developer.hashicorp.com/vault/api-docs/system/policies-password
https://developer.hashicorp.com/vault/docs/concepts/password-policies
自定义密码策略
创建密码策略文件
代码语言:txt复制cat my-policy.hcl
# cat my-policy.hcl
length = 20
rule "charset" {
charset = "abcde"
min-chars = 1
}
rule "charset" {
charset = "01234"
min-chars = 1
}此策略将从字符集 abcde01234 生成密码。但是,密码必须至少包含 1 个来自 abcde 的字符和至少 1 个来自 01234 的字符。如果规则之间的字符集重叠,则会对字符集进行重复数据删除,以防止出现对重叠集的偏差。例如:如果您有两个字符集规则:abcde 和 cdefg,则字符集 abcdefg 将用于生成候选密码,但每个 abcde 和 cdefg 中至少有一个字符仍必须出现在密码中。
将策略提交到vault
代码语言:txt复制$ vault write sys/policies/password/my-policy policy=@my-policy.hcl
Success! Data written to: sys/policies/password/my-policy读取策略
代码语言:txt复制$ vault read sys/policies/password/my-policy
Key Value
--- -----
policy length = 20
rule "charset" {
charset = "abcde"
}删除策略
代码语言:txt复制$ vault delete sys/policies/password/my-policy
Success! Data deleted (if it existed) at: sys/policies/password/my-policy默认的密码策略
Vault 附带默认密码策略,该策略适用于 Vault 生成的任何密码,无需明确的策略分配。默认策略要求密码包括:
代码语言:txt复制20 characters total
1 uppercase character
1 lowercase character
1 number
1 special character用hcl配置文件表示如下:
代码语言:txt复制length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 1
}
rule "charset" {
charset = "0123456789"
min-chars = 1
}
rule "charset" {
charset = "-"
min-chars = 1
}
