15. Login.defs (default) login and Linux default permission settings (password complexity, related security settings)

[Email protected] ~]# cat/etc/login.defs

Please note that the parameters in this configuration file control Thebehavior of the tools from the Shadow-utils Componen T. None of Thesetools uses the PAM mechanism, and the utilities that use PAM (such as THEPASSWD command) should therefore Be configured elsewhere. Refer To/etc/pam.d/system-auth for more information.

#

REQUIREDDirectory where mailboxes reside, orName of file, relative to Thehome directory. If You DoDefine both, Mail_dir takes precedence. Qmail_dir is for QMAIL

#
#QMAIL_DIR Maildir
Mail_dir/var/spool/mail
#MAIL_FILE. MAIL

Password Aging CONTROLS:

#

Pass_max_days Maximum number of days a password could be used. Pass_min_days Minimum number of days allowed between password changes. Pass_min_len Minimum acceptable password length. Pass_warn_age number of days warning given before a password expires.

#
Pass_max_days 99999
Pass_min_days 0
Pass_min_len 5
Pass_warn_age 7

#

Min/max values for automatic uid selection in Useradd

#
Uid_min 500
Uid_max 60000

#

Min/max values for automatic gid selection in Groupadd

#
Gid_min 500
Gid_max 60000

#

If defined, this command was run when removing a user. It should remove any at/cron/print jobs etc. owned bythe user to be removed (passed as the first argument).

#
#USERDEL_CMD/usr/sbin/userdel_local

#

If Useradd should create home directories for users by Defaulton RH systems, we do. This option was overridden with THE-M Flag Onuseradd command line.

#
Create_home Yes

The permission mask is initialized to this value. If not specified,the permission mask is initialized to 022.

UMASK 077

This enables Userdel to remove the user groups if no members exist.

#
Usergroups_enab Yes

Use SHA512 to encrypt password.

Encrypt_method SHA512

In Linux, there are several ways to set the complexity of a password

1. One is in the/etc/login.defs file, with several options inside
   Pass_max_days #密码最长过期天数
   Pass_min_days #密码最小过期天数
   Pass_min_len #密码最小长度
   Pass_warn_age 7 #密码过期警告天数

2. Another way is to modify the/etc/pam.d/system-auth file
   Find password requisite pam_cracklib.so this line is replaced by the following:
   Password requisite pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/ Cracklib/pw_dict
   There is no need to add. pwd after pw_dict, because the default is to bring
   [Email protected] ~]# passwd test
   Changing password for user test.
   New Password:
   /usr/share/cracklib/pw_dict.pwd.pwd:no such file or directory

Parameter meaning:
Number of attempts: 5
Minimum different characters: 3
Minimum password Length: 10
Minimum capital letters: 1
Minimum lowercase letters: 3
Minimum number: 3
Password Dictionary:/usr/share/cracklib/pw_dict

This is set up, you can do the test, but you need to exit root, because the root user is not subject to these restrictions, it can set any password.

Password complexity principles: numbers, uppercase, lowercase, special characters
Examples are as follows:

15. Login.defs (default) login and Linux default permission settings (password complexity, related security settings)