Original address: http: xmodulocom201312set-password-policy-linuxhtml due to my limited level, if you have any questions, you can leave a message to discuss or send an email to me, thank you! The management of user accounts is one of the most important tasks of the system administrator. In particular, for the original article address: success!
The management of user accounts is one of the most important tasks of the system administrator. In particular, password security is the most important concern for any self-declared security linux system. In this tutorial, I will introduce how to set strict password policies on linux.
Assume that your linux system is the latest linux release, and you are using PAM (Pluggable Authentication Module ).
1. prepareInstall a PAM module to enable cracklib support, which provides additional password check functions. Run the following command in Debin, Ubuntu, or Linux Mint:
sudo apt-get install libpam-cracklib
This module is installed in CentOS, Fedora or RHEL by default. Therefore, there is no need to install these systems.
To enforce the password policy, we need to modify the/etc/pam. d file related to identity authentication. This file will take effect immediately after modification.
Note that the password rules in this tutorial are enforced only when the password is changed by a non-root user.
2. avoid repeated use of old passwordsSearch for rows that contain both "password" and "pam_unix.so", and add "remember = 5" after this line ". This will prevent the five recently used passwords from being used as new passwords (by storing them in the/etc/security/opasswd file ). Run the following command in Debin, Ubuntu, or Linux Mint:
sudo vi /etc/pam.d/common-password
Modification content:
password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
Run the following command in Fedora, CentOS, or RHEL:
sudo vi /etc/pam.d/system-auth
Modification content:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
3. set minimum password lengthSearch for a row that contains both "password" and "pam_cracklib.so" and add "minlen = 10" to it ". In this case, the minimum password length is set to 10 characters, and the number of different types of characters <# of types> is used in the password. There are four types of symbols (uppercase, lowercase, numbers, and symbols ). Therefore, if you use a combination of all four types and specify a minimum length of 10, the allowed simple password part will be 6 characters. Run the following command in Debin, Ubuntu, or Linux Mint:
sudo vi /etc/pam.d/common-password
Modification content:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3
Run the following command in Fedora, CentOS, or RHEL:
sudo vi /etc/pam.d/system-auth
Modification content:
password requisite pam_cracklib.so retry=3 difok=3 minlen=10
4. set password complexitySearch for a row that contains both "password" and "pam_cracklib.so" and add "ucredit =-1 lcredit =-2 dcredit =-1 ocredit =-1" to it ". This forces you to include at least one uppercase letter, two lower-case letters, a number, and a symbol in your password. Run the following command in Debin, Ubuntu, or Linux Mint:
sudo vi /etc/pam.d/common-password
Modification content:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
Run the following command in Fedora, CentOS, or RHEL:
sudo vi /etc/pam.d/system-auth
Modification content:
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
5. set the password validity periodTo set the maximum validity period of the current password, modify the following variables in the/etc/login. defs file:
sudo vi /etc/login.def
Modification content:
PASS_MAX_DAYS 150PASS_MIN_DAYS 0PASS_WARN_AGE 7
This forces every user to change their password every six months, in addition, a warning message is sent seven days before the password expires and a few days after the password expires to the user (and even force the user to change the password at the end of the login, otherwise, you will not be able to access the system (the knowledge you have seen in linux programming, not from the original author's point of view )). If you want to use the password validity function based on different users, use the chage command. To view the password expiration policy for special users, run the following command:
sudo chage -l xmodulo
Note: xmodule is the username used by the original author in linux. Shown as follows:
Last password change : Dec 30, 2013Password expires : neverPassword inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7
By default, the user's password will not expire. The following command is used to change the validity period of a user's xmodulo:
$ sudo chage -E 6/30/2014 -m 5 -M 90 -I 30 -W 14 xmodulo
The above command sets the password to expire on January 1, June 30, 2014. In addition, the maximum/minimum number of password change intervals is 5 and 90, respectively. After a password expires, the account will be locked for 30 days. The warning message is sent to the corresponding account 14 days before the password expires.
The following is an example:
