Linux pam Password Complexity limit

Source: Internet
Author: User

In linux, how does one check the complexity of users' passwords?
The system controls the password in two parts:
1 cracklib
2/etc/login. defs

Pam_cracklib.so is the key file to control password complexity.
/Lib/security/pam_cracklib.so
Redhat specially developed the cracklib installation package to determine the password complexity.

# Rpm-qa | grep cracklib
Cracklib-2.8.9-3.1 \ check if software is installed
Cracklib-dicts-2.8.9-3.1 \ password dictionary file

Statement: login. defs mainly controls the password validity period. Time management of passwords

The judgment of password complexity is implemented through pam module control. The specific module is the parameter introduction of pam_cracklibpam_cracklib:
# Man pam_cracklib \ manual analysis of the role of this module

Description of available parameters
Debug
This option writes the module information to syslog (3) to display the module behavior (this option does not write the password information to the log file ).

Type = XXX
The default action is that when the module uses the following prompt, the password is required: "New UNIX Password:" and "re-enter the UNIX Password:". The default Word UNIX can be replaced with this option.

Retry = N
The number of times the password is entered. The default value is 1. That is to say, exit if the password entered by the user is not strong enough. You can use this option to set the number of inputs so that everything can start from scratch.

Difok = N
The default value is 10. This parameter allows the number of new and old passwords with the same characters. However, if the new password contains 1/2 characters and the old password is different, the new password will be accepted.

Difignore = N
The number of characters in the password should be ignored when difok is received. The default value is 23.

Minlen = N
New minimum acceptable size password (add one, which is the default value if credits are not disabled ). In addition to the number of characters in the new password, the lender (in length + 1) gives different types of characters (Other, uppercase, lowercase, and numbers ). The default value of this parameter is 9. It is an old-fashioned UNIX Password with all the characters of the same type, but it may be too low. Using an MD5 system increases security. Please note that there is a limit on the length of Cracklib itself, the "method is too short" 4 the limit is hard encoding and definition restrictions (6), will not refer to the minlen check pair. If you want to allow a password that is only five characters long, you should not use this module.

Dcredit = N
Restrict the minimum number of new passwords.

Ucredit = N
Restrict the minimum number of uppercase characters in the new password.

Lcredit = N
Restrict the minimum number of lowercase characters in the new password.

Ocredit = N
Limit the number of other characters in the new password.

This parameter is used to force the module to not prompt the user's new password, but one of the passwords provided by the previous stack module.

Dictpath =/path/to/dict // note: the password dictionary is the key to verifying whether the user's password is part of the dictionary.

Cracklib password strength detection process:
First, check whether the password is part of the dictionary. If not, perform the following check:
Password strength detection process->
Whether the new password is the old password's reply->
Whether the new password is changed in case only->
Is the new password similar to the old one?->
Whether the new password is too short->
Whether the character of the new password is a cycle of the character of the old password, such as the old password: 123 new password: 231->
Have you used this password before?

/Etc/pam. d/system-auth
Auth required pam_env.so
Auth sufficient pam_unix.so nullok try_first_pass
Auth requisite pam_succeed_if.so uid >=500 quiet
Auth required pam_deny.so

Account required pam_unix.so
Account sufficient pam_succeed_if.so uid <500 quiet
Account required pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry = 3 \ complexity Verification
Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
Password required pam_deny.so

Session optional pam_keyinit.so revoke
Session required pam_limits.so
Session [success = 1 default = ignore] pam_succeed_if.so service in crond quiet use_uid
Session required pam_unix.so

Instance:
Password required pam_cracklib.so \
Difok = 3 minlen = 15 dcredit = 2 ocredit = 2
Three new and old passwords with the same characters are allowed
The minimum length is 15 characters. It must contain at least 2 numbers and at least 2 special characters.

Password required pam_cracklib.so \
Dcredit =-1 ucredit =-1 ocredit =-1 lcredit = 0 minlen = 8
The minimum length is 8 and at least one digit, one uppercase letter, and one other character password.

Note that this setting does not work for the root user,
It takes effect only when a common user changes his/her password.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.