篇首语:本文由小编为大家整理,主要介绍了Linux 密码复杂度设置pam_pwquality、pam_passwdqc(centos7)相关的知识,希望对你有一定的参考价值。
参考技术A 1、Linux对应的密码策略模块有:pam_passwdqc 和 pam_pwquality 。其中pam_passwdqc模块对应的是/etc/login.defs,pam_pwquality对应的是/etc/security/pwquality.conf
2、模块的添加方法:/etc/pam.d/passwd
password required pam_pwquality.so retry=3
3、模块的配置方法有两种:
一、password required pam_pwquality.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
二、添加到/etc/security/pwquality.conf 中
4、/etc/security/pwquality.conf详解:
retry=N:定义登录/修改密码失败时,可以重试的次数;
Difok=N:定义新密码中必须有几个字符要与旧密码不同。但是如果新密码中有1/2以上的字符与旧密码不同时,该新密码将被接受;
minlen=N:定义用户密码的最小长度;
dcredit=N:定义用户密码中必须包含多少个数字;
ucredit=N:定义用户密码中必须包含多少个大写字母;
lcredit=N:定义用户密码中必须包含多少个小些字母;
ocredit=N:定义用户密码中必须包含多少个特殊字符(除数字、字母之外);
其中 =-1表示,至少有一个
5、/etc/login.defs详解:
PASS_MAX_DAYS 99999 #密码的最大有效期, 99999:永久有期
PASS_MIN_DAYS 0 #是否可修改密码,0可修改,非0多少天后可修改
PASS_MIN_LEN 5 #密码最小长度,使用pam_cracklib module,该参数不再有效
PASS_WARN_AGE 7 #密码失效前多少天在用户登录时通知用户修改密码
6、实际生产环境配置
/etc/security/pwquality.conf :
minlen = 8
minclass = 1
maxrepeat = 0
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1
difok=5
/etc/login.defs:
PASS_MAX_DAYS 90
PASS_MIN_LEN 12
PASS_MIN_DAYS 7
PASS_WARN_AGE 30
UMASK 077 15login.defs(默认)登录和Linux默认权限设置(密码复杂度,相关安全设置)
[[email protected] ~]# cat /etc/login.defs
Please note that the parameters in this configuration file control the
behavior of the tools from the shadow-utils component. None of these
tools uses the PAM mechanism, and the utilities that use PAM (such as the
passwd command) should therefore be configured elsewhere. Refer to
/etc/pam.d/system-auth for more information.
#
REQUIRED
Directory where mailboxes reside, or name of file, relative to the
home directory. If you do define both, MAIL_DIR takes precedence.
QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
Password aging controls:
#
PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_MIN_LEN Minimum acceptable password length.
PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
If defined, this command is run when removing a user.
It should remove any at/cron/print jobs etc. owned by
the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
If useradd should create home directories for users by default
On RH systems, we do. This option is overridden with the -m flag on
useradd command line.
#
CREATE_HOME yes
The permission mask is initialized to this value. If not specified,
the permission mask will be initialized to 022.
UMASK 077
This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
在linux,设置密码复杂度的方法有几个
一个是在/etc/login.defs文件,里面几个选项
PASS_MAX_DAYS 90 #密码最长过期天数
PASS_MIN_DAYS 80 #密码最小过期天数
PASS_MIN_LEN 10 #密码最小长度
PASS_WARN_AGE 7 #密码过期警告天数
- 另外一个方法是,修改/etc/pam.d/system-auth文件
找到 password requisite pam_cracklib.so这么一行替换成如下:
password requisite pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict
不需要在pw_dict后面加.pwd,因为默认会带的
[[email protected] ~]# passwd test
Changing password for user test.
New password:
/usr/share/cracklib/pw_dict.pwd.pwd: No such file or directory
参数含义:
尝试次数:5
最少不同字符:3
最小密码长度:10
最少大写字母:1
最少小写字母:3
最少数字:3
密码字典:/usr/share/cracklib/pw_dict
这样设置好,你可以做一下测试,不过需要先退出root,因为root用户并不会受这些限制,它可以设置任意的密码。
密码复杂性原则:数字,大写,小写,特殊字符
实例如下:
以上是关于Linux 密码复杂度设置pam_pwquality、pam_passwdqc(centos7)的主要内容,如果未能解决你的问题,请参考以下文章
闽ICP备2020022160号-5