For how to set password policies in linux

Source: Internet
Author: User
Tags ssh access strong password

For how to set password policies in linux

Due to work requirements, the company needs to set password policies for multiple linux servers recently. The main content is to increase password complexity.

The procedure is as follows. If not, you can refer:

You need to master the following simple knowledge points before the operation)

PAM (Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, this allows the system administrator to configure different authentication methods for different services as needed without changing the service program. It also facilitates adding new authentication methods to the system. PAM was originally integrated in Solaris and has been ported to other systems, such as Linux, SunOS, HP-UX 9.0, etc.

PAM is configured through a single configuration file/etc/pam. conf. RedHat also supports another configuration method, that is, by configuring the directory/etc/pam. d/, and this priority is higher than that of a single configuration file.

1. Use the configuration file/etc/pam. conf.

This file is composed of the following rows:
Service-name module-type control-flag module-path arguments
Service-name indicates the service name, such as telnet, login, and ftp. The service name "OTHER" indicates all OTHER services that are not explicitly configured in this file.
There are four module types: auth, account, session, and password, which correspond to the four management modes supported by PAM. The same service can call multiple PAM modules for authentication. These modules constitute a stack.
Control-flag is used to tell the PAM library how to handle the success or failure of the PAM module related to the service. It has four possible values: required, requisite, sufficient, and optional.
Required indicates that this module must return a successful response to pass authentication. However, if this module returns a failure, the failure result will not be immediately notified to the user, instead, the failure result is returned to the application after all the modules in the same stack are executed. It can be considered as a necessary condition.
Similar to required, requisite and required can pass authentication only after the module returns a successful result. However, once the module returns a failure, no modules in the same stack will be executed, instead, the control is directly returned to the application. Is a necessary condition. Note: Only RedHat and Solaris are supported.
Sufficient indicates that the returned result of this module is successful enough to pass the identity authentication requirement. You do not have to execute other modules in the same stack. However, if the returned result of this module fails, ignore it. It can be considered as a sufficient condition.
Optional indicates that this module is optional. Its success or failure generally does not play a key role in identity authentication, and its return value is generally ignored.
For control-flag, a new syntax is supported from the Linux-PAM-0.63 version, see the LinuxPAM documentation.
Module-path is used to specify the path name of the program file corresponding to this module. Generally, the absolute path is used. If no absolute path is provided, the file is under the/usr/lib/security directory by default.
Arguments is a parameter passed to this module. Generally, the parameters of each module are different and can be defined by the developers of this module. However, the following common parameters are also available:
Debug this module should use syslog () to write debugging information to the system log file.
No_warn indicates that the module should not send the warning information to the application.
Use_first_pass indicates that the module does not prompt the user to enter the password. Instead, use the password obtained from the previous module.
Try_first_pass indicates that the module should first use the password obtained from the user from the previous module. If the verification fails, the user is prompted to enter a new password.
Use_mapped_pass this module does not prompt the user to enter the password, but uses the ing password.
Expose_account allows this module to display the user's account name and other information. It can only be used in a secure environment, because the leakage of user names poses a certain level of security threat.

2. Use the configuration directory/etc/pam. d/(only applicable to RedHat Linux)

The name of each file in the directory corresponds to the service name, for example, the ftp service corresponds to the file/etc/pam. d/ftp. If the configuration file/etc/pam. d/xxxx corresponding to the service named xxxx is not stored, the Service uses the default configuration file/etc/pam. d/other. Each file consists of text lines in the following format:
Module-type control-flag module-path arguments
The meaning of each field is the same as that in/etc/pam. conf.

Because the company uses RedHat linux, I will use the pam. d configuration directory. The password complexity is implemented through the/etc/pam. d/system-auth file. Therefore, let's take a look at the default content and back up this file:

In this file, we will use the module. is a commonly used and important PAM module. This module is mainly used to detect the robustness of user passwords. Checks and limits the length, complexity, and history of user-defined passwords. If the password does not meet the above strength, it will be rejected. is important and difficult to understand. It has some parameters and counting methods. Its common parameters include:
Debug: Write debugging information into logs;
Type = xxx: When you add or modify a password, the system provides the default prompt "New UNIX password:" and "Retype UNIX
Password: ", and you can use this parameter to customize the input password prompt, for example, specifying type = your own word;
Retry = N: defines the number of retries allowed when logon/password change fails;
Difok = N: the new password must contain several characters different from the old one. However, if the new password contains more than 1/2 characters different from the old one, the new password will be accepted;
Minlen = N: defines the minimum length of the user password;
Dcredit = N: defines the number of digits in the user password;
Ucredit = N: defines the number of uppercase letters in the user password;
Lcredit = N: defines the number of lowercase letters in the user password;
Ocredit = N: defines the number of special characters (except numbers and letters) that a user password must contain );

According to my needs, I set the password policy as follows: it must contain at least one lowercase letter, number, and special character. The password must contain at least seven characters. Add the following content to the system-auth file, save and exit:

(Note) * credit =-1 indicates at least one meaning.

Then configure login. defs. This file mainly configures the password validity period. The PASS_MIN_LEN parameter does not work here after we configure the previous file. Others

PASS_MAX_DAYS 99999 # Maximum Password validity period, 99999: Permanent
PASS_MIN_DAYS 0 # indicates whether the password can be changed. If the password is set to 0, the password can be changed. If the password is set to not 0, the password can be changed.
PASS_MIN_LEN 5 # minimum password length. This parameter is no longer valid when pam_cracklib module is used.
PASS_WARN_AGE 7 # How many days before the password expires when the user logs on to notify the user to change the password

After completing the settings, we can verify whether the complexity of the password is forcibly verified by existing users in the system when setting the password, as shown in. If the complexity of the password does not meet the requirements, an error message is prompted:

If your password complexity is met, you can set the password normally.

Linux red hat5 (Enterprise Edition) password policy configuration and startup

1. Linux System User Account Policy
Edit/etc/pam. d/system-auth and add the following statement.
Auth required/lib/security/$ ISA/ deny = 5
Account required
Description of this statement: the maximum number of logon attempts is 6. You can only contact the administrator if the password is exceeded.

2. Password Policy
2.1 edit/etc/login. defs to specify the values of the following parameters.
The parameter is worth noting: PASS_MAX_DAYS (set the Password Expiration Date)
PASS_MIN_DAYS (set the minimum password change date)
PASS_MIN_LEN (Minimum Password Length) refers to the minimum password length, which is generally defined as more than 8 characters
2.2 set the number of failed logon attempts and lock time for the Account
Edit/etc/pam. d/system-auth first cp/etc/pam. d/system-auth/etc/pam. d/system-auth.bak
# Vi/etc/pam. d/system-auth
Auth required onerr = fail deny = 6 unlock_time = 300.
Explanation: Set the bit password to be locked for six consecutive times. The lock time is 300 seconds.
Unlock user faillog-u <User Name>-r
2.3 set the complexity of the password.
Edit/etc/pam. d/system-auth first cp/etc/pam. d/system-auth/etc/pam. d/system-auth.bak
# Vi/etc/pam. d/system-auth
Find and add the following parameters,
Example: password requisite minlen = 8 ucredit =-2 lcredit =-2 dcredit =-5 ocredit =-1
It must contain at least 2 upper-case letters, 2 lower-case characters, 5 digits, and 1 symbol.
2.4 restrict su Permissions
If you don't want anyone to use su as root, you can edit the/etc/pam. d/su file and add the following two lines:
Auth sufficient/lib/security/ debug
Auth required/lib/security/pam_wheel ...... full text>

In LINUX, how does one set strong passwords (High Security )?

The password in/etc/shadow can be replaced by sha256sum in md5sum mode. This improves the security and prevents the md5sum from being intercepted and a usable password from being collided.

Then there is the issue of strong passwords. This is not about how to set the system, but about how to set the user.
It must be at least 12 bytes, And the administrator privilege must be more than 16 bytes. It is best to use a mix of uppercase and lowercase letters and numbers. It is best to generate randomly.

In addition, there are other security settings.
For example, to prohibit remote telnet access, only ssh access is allowed. Then, ssh is bound to a certificate instead of a password, and root remote login is prohibited.
The rest is the security settings of various other services. For example, apache sets to prohibit code from accessing data outside the web directory, ftp also controls permissions, and the database restricts access to the source IP address.

These are all details. A strong password is not an improvement in security because it is necessary for computer system security.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.