Linux Account Password Expiration security policy settings, linux Account Expiration Policy

Source: Internet
Author: User

Linux Account Password Expiration security policy settings, linux Account Expiration Policy

In Linux system management, you sometimes need to set the account password complexity (length), password expiration policy, and so on. This is mainly controlled by some parameters in the/etc/login. defs parameter file. It is mainly used for user account restrictions. The parameters are as follows:

/Etc/login. defs:

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
 
 
PASS_MAX_DAYS 60 # Maximum Password validity period. The parameter PASS_MAX_DAYS is 60, indicating that the password will expire after 60 days. 99999 indicates that it never expires.
PASS_MIN_DAYS 0 # minimum interval between two password changes. 0 indicates that the account password can be changed at any time.
PASS_MIN_LEN 8 # minimum password length, invalid for root
PASS_WARN_AGE 7 # How many days before the password expires?
 
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                   500
UID_MAX                 60000
 
UID_MIN # minimum user ID
UID_MAX # maximum user ID
 
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                   500
GID_MAX                 60000
 
GID_MIN # minimum value of group ID
GID_MAX # maximum group ID
 
 
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local
 
USERDEL_CMD # The comment state by default. If this variable is defined, it indicates that when a user is deleted, delete/print/cron jobs and other users (transmitted as the first parameter ).
 
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes
 
CREATE_HOME # indicates whether to create the user home directory.
 
 
# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077
 
UMASK # permission mask initialization value
 
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
 
USERGROUPS_ENAB # this parameter is enabled, indicating that when userdel deletes a user, if no member exists in the user group, the user group will be deleted.
 
# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes
 
ENCRYPT_METHOD MD5   
 
ENCRYPT_METHOD # indicates the user password encryption method. Here, it indicates that the user password is encrypted with MD5.

When the parameter/etc/login. defs is modified, it takes effect immediately, but it takes effect only for the user created after the modification. For example, after the PASS_MAX_DAYS parameter is modified, a user test is created.

[root@DB-Server home]# useradd test
[root@DB-Server home]# cat /etc/shadow | grep test
test:!!:16971:0:60:7:::
[root@DB-Server home]# cat /etc/passwd | grep test
test:x:501:501::/home/test:/bin/bash
[root@DB-Server home]# chage -l test
Last password change                                    : Jun 19, 2016
Password expires                                        : Aug 18, 2016
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7
[root@DB-Server home]# 

Because CREATE_HOME is yes, after the user test is created, the test directory is created under the/home directory by default, this can be viewed or modified in the Add User rule file/etc/default/useradd.

[root@DB-Server ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME =/home # create your home directory in/HOME
INACTIVE =-1 # Whether to enable account expiration and suspension.-1 indicates not enabling
EXPIRE = # end date of the account. If this parameter is not set, the account is not enabled;
SHELL =/bin/bash # SHELL type used;
SKEL =/etc/skel # The default file storage location of the user's directory is added by default. That is to say, when adduser is used to add users, the files in the user's home directory are, all of them are copied from this directory.
CREATE_MAIL_SPOOL=yes

If the user test has special requirements and requires that the password of this account never expire, you can use the chage command to process it (for the chage command, do not expand it here)

[root@DB-Server ~]# chage -l test
Last password change                                    : Jun 19, 2016
Password expires                                        : Aug 18, 2016
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 60
Number of days of warning before password expires       : 7
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# chage -M 99999 test
[root@DB-Server ~]# chage -l test
Last password change                                    : Jun 19, 2016
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
[root@DB-Server ~]# 

As shown above,/etc/login. defs only controls the minimum length of the account and the password validity period. How does Linux check the complexity of the user's password? In fact, the system controls the password in two parts:

1 cracklib

2/etc/login. defs

Pam_cracklib.so is the key file to control the Password Complexity/lib/security/pam_cracklib.so. Redhat specially developed the cracklib installation package to determine the password complexity. To view some parameters of pam_cracklib, run the following command:

[Root @ DB-Server security] # man pam_cracklib

Some common parameters are as follows:
 
retry=N
The number of times the password is entered. The default value is 1. That is to say, exit if the password entered by the user is not strong enough. You can use this option to set the number of inputs so that everything can start from scratch.
 
              Prompt user at most N times before returning with error. The
              default is 1
 
minlen=N
Minimum acceptable new password length
 
              The minimum acceptable size for the new password (plus one if
              credits are not disabled which is the default). In addition to the
              number of characters in the new password, credit (of +1 in length)
              is given for each different kind of character (other, upper, lower
              and digit). The default for this parameter is 9 which is good for a
              old style UNIX password all of the same type of character but may
              be too low to exploit the added security of a md5 system. Note that
              there is a pair of length limits in Cracklib itself, a "way too
              short" limit of 4 which is hard coded in and a defined limit (6)
              that will be checked without reference to minlen. If you want to
              allow passwords as short as 5 characters you should not use this
              module.
 
difok=N
The default value is 10. This parameter allows the number of new and old passwords with the same characters. However, if the new password contains 1/2 characters different from the old one, the new password will be accepted.
 
 
              This argument will change the default of 5 for the number of
              characters in the new password that must not be present in the old
              password. In addition, if 1/2 of the characters in the new password
              are different then the new password will be accepted anyway.
 
dcredit=N
Limit the minimum number of new passwords
 
              (N >= 0) This is the maximum credit for having digits in the new
              password. If you have less than or N digits, each digit will count
              +1 towards meeting the current minlen value. The default for
              dcredit is 1 which is the recommended value for minlen less than
              10.
 
              (N < 0) This is the minimum number of digits that must be met for a
              new password.
 
ucredit=N
Restrict the minimum number of uppercase characters in the new password.
 
lcredit=N
Restrict the minimum number of lowercase characters in the new password.

For example, add dcredit = 3 ucredit = 2 at the end of/etc/pam. d/system-auth using pam_cracklib.so in password

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

If the new user's PASSWORD does not meet the PASSWORD complexity, the message "bad password: it is based on a dictionary word" appears.

[root@DB-Server ~]# passwd ttt
Changing password for user ttt.
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word

References:

Http://www.cnblogs.com/xd502djj/archive/2011/11/23/2260094.html

Http://blog.csdn.net/lhfeng/article/details/6033598

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.