Linux Account Password Expiration security policy settings, linux Account Expiration Policy
In Linux system management, you sometimes need to set the account password complexity (length), password expiration policy, and so on. This is mainly controlled by some parameters in the/etc/login. defs parameter file. It is mainly used for user account restrictions. The parameters are as follows:
/Etc/login. defs:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 60 # Maximum Password validity period. The parameter PASS_MAX_DAYS is 60, indicating that the password will expire after 60 days. 99999 indicates that it never expires.
PASS_MIN_DAYS 0 # minimum interval between two password changes. 0 indicates that the account password can be changed at any time.
PASS_MIN_LEN 8 # minimum password length, invalid for root
PASS_WARN_AGE 7 # How many days before the password expires?
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
UID_MIN # minimum user ID
UID_MAX # maximum user ID
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
GID_MIN # minimum value of group ID
GID_MAX # maximum group ID
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
USERDEL_CMD # The comment state by default. If this variable is defined, it indicates that when a user is deleted, delete/print/cron jobs and other users (transmitted as the first parameter ).
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
CREATE_HOME # indicates whether to create the user home directory.
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
UMASK # permission mask initialization value
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
USERGROUPS_ENAB # this parameter is enabled, indicating that when userdel deletes a user, if no member exists in the user group, the user group will be deleted.
# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes
ENCRYPT_METHOD MD5
ENCRYPT_METHOD # indicates the user password encryption method. Here, it indicates that the user password is encrypted with MD5.
When the parameter/etc/login. defs is modified, it takes effect immediately, but it takes effect only for the user created after the modification. For example, after the PASS_MAX_DAYS parameter is modified, a user test is created.
[root@DB-Server home]# useradd test
[root@DB-Server home]# cat /etc/shadow | grep test
test:!!:16971:0:60:7:::
[root@DB-Server home]# cat /etc/passwd | grep test
test:x:501:501::/home/test:/bin/bash
[root@DB-Server home]# chage -l test
Last password change : Jun 19, 2016
Password expires : Aug 18, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
[root@DB-Server home]#
Because CREATE_HOME is yes, after the user test is created, the test directory is created under the/home directory by default, this can be viewed or modified in the Add User rule file/etc/default/useradd.
[root@DB-Server ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME =/home # create your home directory in/HOME
INACTIVE =-1 # Whether to enable account expiration and suspension.-1 indicates not enabling
EXPIRE = # end date of the account. If this parameter is not set, the account is not enabled;
SHELL =/bin/bash # SHELL type used;
SKEL =/etc/skel # The default file storage location of the user's directory is added by default. That is to say, when adduser is used to add users, the files in the user's home directory are, all of them are copied from this directory.
CREATE_MAIL_SPOOL=yes
If the user test has special requirements and requires that the password of this account never expire, you can use the chage command to process it (for the chage command, do not expand it here)
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : Aug 18, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# chage -M 99999 test
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@DB-Server ~]#
As shown above,/etc/login. defs only controls the minimum length of the account and the password validity period. How does Linux check the complexity of the user's password? In fact, the system controls the password in two parts:
1 cracklib
2/etc/login. defs
Pam_cracklib.so is the key file to control the Password Complexity/lib/security/pam_cracklib.so. Redhat specially developed the cracklib installation package to determine the password complexity. To view some parameters of pam_cracklib, run the following command:
[Root @ DB-Server security] # man pam_cracklib
Some common parameters are as follows:
retry=N
The number of times the password is entered. The default value is 1. That is to say, exit if the password entered by the user is not strong enough. You can use this option to set the number of inputs so that everything can start from scratch.
Prompt user at most N times before returning with error. The
default is 1
minlen=N
Minimum acceptable new password length
The minimum acceptable size for the new password (plus one if
credits are not disabled which is the default). In addition to the
number of characters in the new password, credit (of +1 in length)
is given for each different kind of character (other, upper, lower
and digit). The default for this parameter is 9 which is good for a
old style UNIX password all of the same type of character but may
be too low to exploit the added security of a md5 system. Note that
there is a pair of length limits in Cracklib itself, a "way too
short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to
allow passwords as short as 5 characters you should not use this
module.
difok=N
The default value is 10. This parameter allows the number of new and old passwords with the same characters. However, if the new password contains 1/2 characters different from the old one, the new password will be accepted.
This argument will change the default of 5 for the number of
characters in the new password that must not be present in the old
password. In addition, if 1/2 of the characters in the new password
are different then the new password will be accepted anyway.
dcredit=N
Limit the minimum number of new passwords
(N >= 0) This is the maximum credit for having digits in the new
password. If you have less than or N digits, each digit will count
+1 towards meeting the current minlen value. The default for
dcredit is 1 which is the recommended value for minlen less than
10.
(N < 0) This is the minimum number of digits that must be met for a
new password.
ucredit=N
Restrict the minimum number of uppercase characters in the new password.
lcredit=N
Restrict the minimum number of lowercase characters in the new password.
For example, add dcredit = 3 ucredit = 2 at the end of/etc/pam. d/system-auth using pam_cracklib.so in password
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
If the new user's PASSWORD does not meet the PASSWORD complexity, the message "bad password: it is based on a dictionary word" appears.
[root@DB-Server ~]# passwd ttt
Changing password for user ttt.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
References:
Http://www.cnblogs.com/xd502djj/archive/2011/11/23/2260094.html
Http://blog.csdn.net/lhfeng/article/details/6033598