About Setting Password policies in linux

About Setting Password policies in linux

Due to work requirements, the company needs to set password policies for multiple linux servers recently. The main content is to increase password complexity.

The procedure is as follows. If not, you can refer:

You need to master the following simple knowledge points before the operation)

PAM (Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, this allows the system administrator to configure different authentication methods for different services as needed without changing the service program. It also facilitates adding new authentication methods to the system. PAM was originally integrated in Solaris and has been ported to other systems, such as Linux, SunOS, HP-UX 9.0, etc.

PAM is configured through a single configuration file/etc/pam. conf. RedHat also supports another configuration method, that is, by configuring the directory/etc/pam. d/, and this priority is higher than that of a single configuration file.

1. Use the configuration file/etc/pam. conf.

This file is composed of the following rows:
Service-name module-type control-flag module-path arguments
Service-name indicates the service name, such as telnet, login, and ftp. The service name "OTHER" indicates all OTHER services that are not explicitly configured in this file.
There are four module types: auth, account, session, and password, which correspond to the four management modes supported by PAM. The same service can call multiple PAM modules for authentication. These modules constitute a stack.
Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module related to the service. It has four possible values: required, requisite, sufficient, and optional.
Required indicates that this module must return a successful response to pass authentication. However, if this module returns a failure, the failure result will not be immediately notified to the user, instead, the failure result is returned to the application after all the modules in the same stack are executed. It can be considered as a necessary condition.
Similar to required, requisite and required can pass authentication only after the module returns a successful result. However, once the module returns a failure, no modules in the same stack will be executed, instead, the control is directly returned to the application. Is a necessary condition. Note: Only RedHat and Solaris are supported.
Sufficient indicates that the returned result of this module is successful enough to pass the identity authentication requirement. You do not have to execute other modules in the same stack. However, if the returned result of this module fails, ignore it. It can be considered as a sufficient condition.
Optional indicates that this module is optional. Its success or failure generally does not play a key role in identity authentication, and its return value is generally ignored.
For control-flag, a new syntax is supported from the Linux-PAM-0.63 version, see the LinuxPAM documentation.
Module-path is used to specify the path name of the program file corresponding to this module. Generally, the absolute path is used. If no absolute path is provided, the file is under the/usr/lib/security directory by default.
Arguments is a parameter passed to this module. Generally, the parameters of each module are different and can be defined by the developers of this module. However, the following common parameters are also available:
Debug this module should use syslog () to write debugging information to the system log file.
No_warn indicates that the module should not send the warning information to the application.
Use_first_pass indicates that the module does not prompt the user to enter the password. Instead, use the password obtained from the previous module.
Try_first_pass indicates that the module should first use the password obtained from the user from the previous module. If the verification fails, the user is prompted to enter a new password.
Use_mapped_pass this module does not prompt the user to enter the password, but uses the ing password.
Expose_account allows this module to display the user's account name and other information. It can only be used in a secure environment, because the leakage of user names poses a certain level of security threat.

2. Use the configuration directory/etc/pam. d/(only applicable to RedHat Linux)

The name of each file in the directory corresponds to the service name, for example, the ftp service corresponds to the file/etc/pam. d/ftp. If the configuration file/etc/pam. d/xxxx corresponding to the service named xxxx is not stored, the Service uses the default configuration file/etc/pam. d/other. Each file consists of text lines in the following format:
Module-type control-flag module-path arguments
The meaning of each field is the same as that in/etc/pam. conf.

Because the company uses RedHat linux, I will use the pam. d configuration directory. The password complexity is implemented through the/etc/pam. d/system-auth file. Therefore, let's take a look at the default content and back up this file:

In this file, we will use the pam_cracklib.so module. Pam_cracklib.so is a commonly used and important PAM module. This module is mainly used to detect the robustness of user passwords. Checks and limits the length, complexity, and history of user-defined passwords. If the password does not meet the above strength, it will be rejected.

Pam_cracklib.so is important and difficult to understand. It has some parameters and counting methods. Its common parameters include:
Debug: Write debugging information into logs;
Type = xxx: When you add or modify a password, the default prompt "New UNIX passwZ success?" is displayed? Http://www.bkjia.com/kf/ware/vc/ "target =" _ blank "class =" keylink "> keys/B/keys + keys/LqstuDJ2bj2zNjK4tfWt/keys + keys/ c1NbGtqjI58/far + 1Pa808jnz8LE2sjdo6yxo7TmuvPNy7P2o7o8L3A + CjxwPjxpbWcgc3JjPQ = "http://www.2cto.com/uploadfile/Collfiles/20140924/2014092409230757.png" alt = "\">

(Note) * credit =-1 indicates at least one meaning.

Then configure login. defs. This file mainly configures the password validity period. The PASS_MIN_LEN parameter does not work here after we configure the previous file. Others

PASS_MAX_DAYS 99999 # Maximum Password validity period, 99999: Permanent
PASS_MIN_DAYS 0 # indicates whether the password can be changed. If the password is set to 0, the password can be changed. If the password is set to not 0, the password can be changed.
PASS_MIN_LEN 5 # minimum password length. This parameter is no longer valid when pam_cracklib module is used.
PASS_WARN_AGE 7 # How many days before the password expires when the user logs on to notify the user to change the password

After completing the settings, we can verify whether the complexity of the password is forcibly verified by existing users in the system when setting the password, as shown in. If the complexity of the password does not meet the requirements, an error message is prompted:

If your password complexity is met, you can set the password normally.