About the Linux system password policy settings

Because of the need for work recently, the company's multiple Linux servers for password policy settings, the main content is to increase the complexity of the password.

The operation steps are as follows, no classmate can refer to:

Before the operation needs to grasp the following a few simple knowledge points: (actually do not master also line, but learn no harm)

PAM (pluggable authentication Modules) is a certification mechanism presented by Sun. It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system. Pam was originally integrated in Solaris and has now been ported to other systems such as Linux, SunOS, HP-UX 9.0, and so on.

The configuration of Pam is/etc/pam.conf by a single configuration file. Redhat also supports a different configuration, that is, by configuring the directory/etc/pam.d/, which is more prioritized than a single configuration file.

1. Using the configuration file/etc/pam.conf

The file is made up of the following lines:
Service-name module-type control-flag module-path arguments
Service-name the name of the service, such as Telnet, login, FTP, etc., the service name "Other" represents all other services that are not explicitly configured in the file.
There are four types of module-type modules: Auth, account, session, password, which corresponds to four kinds of management methods supported by Pam. The same service can invoke multiple Pam modules for authentication, and these modules form a stack.
Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module associated with the service. It has four possible values: Required,requisite,sufficient,optional.
Required indicates that this module must return success to pass authentication, but if the module fails to return, the failed result will not notify the user immediately, but will wait until all modules in the same stack have finished executing and return the failed result to the application. Can be considered as a necessary condition.
Requisite similar to required, the module must return to success to pass authentication, but once the module returns to failure, any module within the same stack is no longer executed, and control is returned directly to the application. is a necessary condition. Note: This is only supported by Redhat and Solaris is not supported.
Sufficient indicates that this module returns successfully enough to pass the authentication requirement and no longer executes other modules within the same stack, but can be ignored if the module returns a failure. Can be considered as a sufficient condition.
Optional indicates that this module is optional, and its success generally does not play a key role in identity authentication, and its return value is generally ignored.
For Control-flag, a new syntax is supported from the linux-pam-0.63 version, as detailed in the Linuxpam documentation.
Module-path is used to indicate the path name of the program file corresponding to this module, the absolute path is generally used, if the absolute path is not given, the file is under directory/usr/lib/security by default.
Arguments is the parameter that is used to pass to the module. In general, the parameters of each module are different, can be defined by the developer of the module itself, but there are several common parameters:
Debug the module should use Syslog () to write debug information to the system log file.
No_warn indicates that the module should not send warning messages to the application.
Use_first_pass indicates that the module cannot prompt the user for a password, but should use the password obtained from the user from the previous module.
Try_first_pass indicates that the module should first use the password obtained from the user from the previous module, and then prompt the user to enter a new password if the password is not validated.
Use_mapped_pass The module cannot prompt the user for a password, but instead uses a mapped password.
Expose_account allows the module to display information such as the user's account name, generally only in a secure environment, because leaking user names can pose a certain level of security threat.

2. Using the configuration directory/etc/pam.d/(only for Redhat Linux)

The name of each file in the directory corresponds to the service name, such as the FTP service corresponding to the file/etc/pam.d/ftp. If the configuration file/etc/pam.d/xxxx for a service named XXXX does not exist, the service will use the default profile/etc/pam.d/other. Each file is composed of lines of text in the following format:
Module-type Control-flag module-path Arguments
Each field has the same meaning as in/etc/pam.conf.

Since the company is using Redhat Linux, I will use PAM.D this configuration directory. password complexity is implemented by/etc/pam.d/system-auth This file so let's take a look at what the default is and then back up the file with one of the following:

In this file we will use the Pam_cracklib.so module. Pam_cracklib.so is a common and very important PAM module. The main function of the module is to detect the robustness of the user's password. Check and limit the length, complexity, and history of user-defined passwords. Passwords that do not meet the above strength will be rejected.

Pam_cracklib.so is more important and difficult to understand is its parameters and counting methods, its common parameters include:
Debug: Writes debug information to the log;
TYPE=XXX: When adding/Modifying a password, the default prompt given by the system is "New Unix password:" and "Retype Unix
Password: ", while using this parameter, you can customize the prompt to enter a password, such as specifying Type=your own word;
Retry=n: Defines the number of retries that can be retried if the login/change password fails;
Difok=n: Defining a new password must have several characters different from the old password. However, if the new password has more than 1/2 characters and the old password is not the same, the new password will be accepted;
Minlen=n: Defines the minimum length of the user's password;
Dcredit=n: Defines how many numbers must be included in a user's password;
Ucredit=n: Defines how many uppercase letters must be included in a user's password;
Lcredit=n: Defines how many smaller letters must be included in a user's password;
Ocredit=n: Defines how many special characters must be included in a user's password (except for numbers, letters);

According to my needs, I set the password policy as follows: must contain at least one lowercase letter, number, special characters, password length of at least 7 bits, in the System-auth file add the following, save and exit:

(note) *credit=-1 says at least one of the meanings.

Then configure login.defs, this file is mainly configured password expiration date, where the Pass_min_len this parameter after we have configured the previous file here is not working. Other

Pass_max_days 99999 #密码的最大有效期, 99999: Permanent period
Pass_min_days 0 #是否可修改密码, 0 can be modified, not 0 how many days can be modified
Pass_min_len 5 #密码最小长度, using Pam_cracklib module, this parameter is no longer valid
Pass_warn_age 7 #密码失效前多少天在用户登录时通知用户修改密码

When the settings are complete, we can verify that the user who already exists in the system will force the password complexity to be verified when the password is set, as shown in the error message if the password complexity is not met:

If you meet your password complexity, you can set the password correctly.

About the Linux system password policy settings