You need to complete the following settings:
1, the password must meet the complexity of requirements, letters, numbers, special characters. Length greater than 8 bits.
2, the password changes regularly, the longest not more than 90 days.
3, users can not reuse the password used within 5 times.
4, attempts to login failed error number, must be set not more than 5 times, more than 5 times, temporarily locked for 20 minutes or more.
Install PAM's Cracklib module, Cracklib can provide additional password checking ability
1, the password must meet the complexity of requirements, letters, numbers, special characters. Length greater than 8 bits.
Modify file:/ect/pam.d/system-auth, find both "password" and "pam_cracklib.so" fields
Password requisite pam_cracklib.so retry=3 difok=3 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1
2, the password changes regularly, the longest not more than 90 days.
/etc/login.defs Modify the configuration file in the configuration file:
Pass_max_days 90
Pass_min_days 0
Pass_min_len 5
Pass_warn_age 7
View the time of periodic modification by Chage-l xxx (user name)
3, users can not reuse the password used within 5 times.
Modify file:/ect/pam.d/system-auth, find both "password" and "pam_unix.so" fields
Password sufficient pam_unix.so sha512 shadow Nullok try_first_pass Use_authtok remeber=5
Disable the use of the recently used 5 password by viewing it in/ETC/SECURITY/OPASSWD
4, attempts to login failed error number, must be set not more than 5 times, more than 5 times, temporarily locked for 20 minutes or more.
See if the system contains a pam_tally2.so module, and if not, you need to use the Pam_tally.so module
find/lib*-iname "Pam_tally2.so"
find/lib*-iname "Pam_tally.so"
In the second line of/etc/pam.d/sshd in the configuration file, add the following
Auth Required pam_tally2.so deny=5 unlock_time=1200
To view user error login times:
Pam_tally2--user xxx (user name)
Pam_cracklib.so is more important and difficult to understand is its parameters and counting methods, its common parameters include:
Debug: Writes debug information to the log;
TYPE=XXX: When adding/Modifying a password, the default prompt given by the system is "New Unix password:" and "Retype Unix
Password: ", while using this parameter, you can customize the prompt to enter a password, such as specifying Type=your own word;
Retry=n: Defines the number of retries that can be retried if the login/change password fails;
Difok=n: Defining a new password must have several characters different from the old password. However, if the new password has more than 1/2 characters and the old password is not the same, the new password will be accepted;
Minlen=n: Defines the minimum length of the user's password;
Dcredit=n: Defines how many numbers must be included in a user's password;
Ucredit=n: Defines how many uppercase letters must be included in a user's password;
Lcredit=n: Defines how many smaller letters must be included in a user's password;
Ocredit=n: Defines how many special characters must be included in a user's password (except for numbers, letters);
This article from the "Day Up goto" blog, please be sure to keep this source http://ttxsgoto.blog.51cto.com/4943095/1633179
Password Policy in Linux