Linux Account Password Expiration security policy settings, linux Account Expiration Policy

Linux Account Password Expiration security policy settings, linux Account Expiration Policy

In Linux system management, you sometimes need to set the account password complexity (length), password expiration policy, and so on. This is mainly controlled by some parameters in the/etc/login. defs parameter file. It is mainly used for user account restrictions. The parameters are as follows:

/Etc/login. defs:

# Password aging controls:

#

#       PASS_MAX_DAYS   Maximum number of days a password may be used.

#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.

#       PASS_MIN_LEN    Minimum acceptable password length.

#       PASS_WARN_AGE   Number of days warning given before a password expires.

PASS_MAX_DAYS 60 # Maximum Password validity period. The parameter PASS_MAX_DAYS is 60, indicating that the password will expire after 60 days. 99999 indicates that it never expires.

PASS_MIN_DAYS 0 # minimum interval between two password changes. 0 indicates that the account password can be changed at any time.

PASS_MIN_LEN 8 # minimum password length, invalid for root

PASS_WARN_AGE 7 # How many days before the password expires?

#

# Min/max values for automatic uid selection in useradd

#

UID_MIN                   500

UID_MAX                 60000

UID_MIN # minimum user ID

UID_MAX # maximum user ID

#

# Min/max values for automatic gid selection in groupadd

#

GID_MIN                   500

GID_MAX                 60000

GID_MIN # minimum value of group ID

GID_MAX # maximum group ID

#

# If defined, this command is run when removing a user.

# It should remove any at/cron/print jobs etc. owned by

# the user to be removed (passed as the first argument).

#

#USERDEL_CMD    /usr/sbin/userdel_local

USERDEL_CMD # The comment state by default. If this variable is defined, it indicates that when a user is deleted, delete/print/cron jobs and other users (transmitted as the first parameter ).

#

# If useradd should create home directories for users by default

# On RH systems, we do. This option is overridden with the -m flag on

# useradd command line.

#

CREATE_HOME     yes

CREATE_HOME # indicates whether to create the user home directory.

# The permission mask is initialized to this value. If not specified, 

# the permission mask will be initialized to 022.

UMASK           077

UMASK # permission mask initialization value

# This enables userdel to remove user groups if no members exist.

#

USERGROUPS_ENAB yes

USERGROUPS_ENAB # this parameter is enabled, indicating that when userdel deletes a user, if no member exists in the user group, the user group will be deleted.

# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5   

ENCRYPT_METHOD # indicates the user password encryption method. Here, it indicates that the user password is encrypted with MD5.

When the parameter/etc/login. defs is modified, it takes effect immediately, but it takes effect only for the user created after the modification. For example, after the PASS_MAX_DAYS parameter is modified, a user test is created.

[root@DB-Server home]# useradd test

[root@DB-Server home]# cat /etc/shadow | grep test

test:!!:16971:0:60:7:::

[root@DB-Server home]# cat /etc/passwd | grep test

test:x:501:501::/home/test:/bin/bash

[root@DB-Server home]# chage -l test

Last password change                                    : Jun 19, 2016

Password expires                                        : Aug 18, 2016

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 60

Number of days of warning before password expires       : 7

[root@DB-Server home]# 

Because CREATE_HOME is yes, after the user test is created, the test directory is created under the/home directory by default, this can be viewed or modified in the Add User rule file/etc/default/useradd.

[root@DB-Server ~]# cat /etc/default/useradd

# useradd defaults file

GROUP=100

HOME =/home # create your home directory in/HOME

INACTIVE =-1 # Whether to enable account expiration and suspension.-1 indicates not enabling

EXPIRE = # end date of the account. If this parameter is not set, the account is not enabled;

SHELL =/bin/bash # SHELL type used;

SKEL =/etc/skel # The default file storage location of the user's directory is added by default. That is to say, when adduser is used to add users, the files in the user's home directory are, all of them are copied from this directory.

CREATE_MAIL_SPOOL=yes

If the user test has special requirements and requires that the password of this account never expire, you can use the chage command to process it (for the chage command, do not expand it here)

[root@DB-Server ~]# chage -l test

Last password change                                    : Jun 19, 2016

Password expires                                        : Aug 18, 2016

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 60

Number of days of warning before password expires       : 7

You have new mail in /var/spool/mail/root

[root@DB-Server ~]# chage -M 99999 test

[root@DB-Server ~]# chage -l test

Last password change                                    : Jun 19, 2016

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

[root@DB-Server ~]# 

As shown above,/etc/login. defs only controls the minimum length of the account and the password validity period. How does Linux check the complexity of the user's password? In fact, the system controls the password in two parts:

1 cracklib

2/etc/login. defs

Pam_cracklib.so is the key file to control the Password Complexity/lib/security/pam_cracklib.so. Redhat specially developed the cracklib installation package to determine the password complexity. To view some parameters of pam_cracklib, run the following command:

[Root @ DB-Server security] # man pam_cracklib

Some common parameters are as follows:

retry=N

The number of times the password is entered. The default value is 1. That is to say, exit if the password entered by the user is not strong enough. You can use this option to set the number of inputs so that everything can start from scratch.

              Prompt user at most N times before returning with error. The

              default is 1

minlen=N

Minimum acceptable new password length

              The minimum acceptable size for the new password (plus one if

              credits are not disabled which is the default). In addition to the

              number of characters in the new password, credit (of +1 in length)

              is given for each different kind of character (other, upper, lower

              and digit). The default for this parameter is 9 which is good for a

              old style UNIX password all of the same type of character but may

              be too low to exploit the added security of a md5 system. Note that

              there is a pair of length limits in Cracklib itself, a "way too

              short" limit of 4 which is hard coded in and a defined limit (6)

              that will be checked without reference to minlen. If you want to

              allow passwords as short as 5 characters you should not use this

              module.

difok=N

The default value is 10. This parameter allows the number of new and old passwords with the same characters. However, if the new password contains 1/2 characters different from the old one, the new password will be accepted.

              This argument will change the default of 5 for the number of

              characters in the new password that must not be present in the old

              password. In addition, if 1/2 of the characters in the new password

              are different then the new password will be accepted anyway.

dcredit=N

Limit the minimum number of new passwords

              (N >= 0) This is the maximum credit for having digits in the new

              password. If you have less than or N digits, each digit will count

              +1 towards meeting the current minlen value. The default for

              dcredit is 1 which is the recommended value for minlen less than

              10.

              (N < 0) This is the minimum number of digits that must be met for a

              new password.

ucredit=N

Restrict the minimum number of uppercase characters in the new password.

lcredit=N

Restrict the minimum number of lowercase characters in the new password.

For example, add dcredit = 3 ucredit = 2 at the end of/etc/pam. d/system-auth using pam_cracklib.so in password

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

If the new user's PASSWORD does not meet the PASSWORD complexity, the message "bad password: it is based on a dictionary word" appears.

[root@DB-Server ~]# passwd ttt

Changing password for user ttt.

New UNIX password: 

BAD PASSWORD: it is based on a dictionary word

References:

Http://www.cnblogs.com/xd502djj/archive/2011/11/23/2260094.html

Http://blog.csdn.net/lhfeng/article/details/6033598