Linux Control user Password Security policy

One, control the user password length, validity period

/etc/login.defs file is mainly to control the password validity of the file, the complexity of the password is determined by the PAM module control to achieve, the specific module is Pam_cracklib

# Vi/etc/login.defs

Pass_max_days 99999 #密码最大有效期时间, 99999 is basically permanent effective, generally can be set to 100 days effective, to 100 days will not be able to login.
Pass_min_days 0 #至少多少天后必须修改口令, generally set 0 days, and after the maximum validity period, the password must be changed, otherwise the expiration is locked.
Pass_min_len #密码最少长度
Pass_warn_age 7 #密码失效前多少天在用户登录时通知用户修改密码

Save

Modify command

# chage-l Test

Last password Change:aug 07, 2015
Password Expires:never
Password Inactive:never
Account Expires:never
Minimum number of days between password change:0
Maximum number of days between password change:99999
Number of days of warning before password expires:7

# CHAGE-E 2015-09-01 Test set test user expiration time is September 1, 2015

# chage-l Test
Last password Change:aug 07, 2015
Password Expires:never
Password Inactive:never
Account Expires:sep
Minimum number of days between password change:0
Maximum number of days between password change:99999
Number of days of warning before password expires:7

# CHAGE-M test Sets the maximum expiry time for the test user password

# chage-l Test
Last password Change:aug 07, 2015
Password Expires:nov 15, 2015
Password Inactive:never
Account Expires:sep 01, 2015
Minimum number of days between password change:0
Maximum number of days between password change:100
Number of days of warning before password expires:7

Second, the control of user password complexity

Check if the control password complexity package is installed

# Rpm-qa|grep Cracklib
cracklib-2.8.9-3.3
cracklib-dicts-2.8.9-3.3

# Vi/etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=5 minlen=10 ucredit=-1 lcredit=-3 dcredit=-1 ocredit=-1 dictpath=/usr/ Share/cracklib/pw_dict
Password sufficient pam_unix.so MD5 shadow Nullok try_first_pass Use_authtok
Password Required pam_deny.so

This requires a maximum of 5 attempts to exceed the lock, a password length of at least 10 digits, at least 1 uppercase letters, at least 3 lowercase letters, at least 1 digits, at least 1 special characters, and not a common word in the dictionary.

Description

Retry=5 attempts are 5 times

minlen=10 min. length 10 bit

ucredit=n: Uppercase, n>=0 represents up to a few uppercase letters, N is a negative number indicating at least a few
Lcredit=n: lowercase letters, n>=0 means up to a few lowercase letters, N is negative for at least a few
Dcredit=n: Number, n>=0 represents up to a few digits, N is a negative number indicating at least a few
Ocredit=n: Special character, n>=0 represents up to a few special characters, N is negative indicates at least several

Third, testing

Use root to create a normal user test and set the initial password for test

Note: The password length and complexity are also detected when root sets the password for an ordinary user, but it can be set if it does not meet the requirements because root is the god of the Linux system.

Log in with the test user and then modify your password with the passwd command, where the password length, complexity, and so on are all starting to work.

[Email protected] ~]$ passwd
Changing password for user test.
changing password for test
(current) UNIX Password:
New UNIX Password:
Bad Password:it are based on a dictionary word (hint contains words in dictionary, too simple)
New UNIX Password:
Bad password:it does not contain enough DIFFERENT characters (hint contains too many duplicate letters)
New UNIX Password:
Bad password:case changes only (no uppercase letters here)

Linux Control user Password Security policy