Linux system sets complex password strategy for users

Suppose you have used PAM (pluggable authentication Modules, plug-in verification module) on your Linux system because all Linux distributions are using it over the years.

First, preparatory work

Install PAM's Cracklib module, Cracklib can provide additional password checking capabilities.

Debian, Ubuntu, or Linux Mint systems:

$ sudo apt-get install Libpam-cracklib

CentOS, Fedora, and RHEL systems have installed the Cracklib PAM module by default, so there is no need to perform the above operations on these systems.

In order to enforce the password policy, we need to modify the PAM configuration file in the/ETC/PAM.D directory. Once modified, the policy will take effect immediately.

Note: Password policies in this tutorial are valid only for non-root users and are not valid for root users.

Second, prohibit the use of old password

Find the line with the "password" and "pam_unix.so" fields and attach a "remember=5" that prohibits the use of the last 5 passwords (passwords that have been used will be saved under/ETC/SECURITY/OPASSWD).

Debian, Ubuntu, or Linux Mint systems:

$ sudo vi/etc/pam.d/common-password

Password [Success=1 Default=ignore] pam_unix.so obscure sha512 remember=5

CentOS, Fedora, RHEL system:

$ sudo vi/etc/pam.d/system-auth

Password sufficient pamunix.so sha512 shadow Nullok tryfirstpass Useauthtok remember=5

Third, set the shortest password length

Find the line with the "password" and "pam_cracklib.so" fields and Attach "minlen=10", which indicates that the minimum password length is (10-type quantity). The "Number of types" here represents the number of different character types. PAM provides 4 types of symbols as passwords (uppercase, lowercase, digits, and punctuation). If your password uses these 4 types of symbols at the same time, and your minlen is set to 10, the shortest password length allows for 6 characters.

Debian, Ubuntu, or Linux Mint systems:

$ sudo vi/etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3

CentOS, Fedora, RHEL system:

$ sudo vi/etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10

Four, set the password complex degree

Locate the line with the "password" and "pam_cracklib.so" fields and append the "Ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1", which indicates that the password must contain at least one uppercase letter ( Ucredit), two lowercase letters (lcredit), a number (Dcredit), and a punctuation mark (ocredit).

Debian, Ubuntu, or Linux Mint systems:

$ sudo vi/etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

CentOS, Fedora, RHEL system:

$ sudo vi/etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

Five, set the password expiration time

Edit the/etc/login.defs file, you can set the current password expiration, the specific variables are as follows:

$ sudo vi/etc/login.defs

Passmaxdays Passmindays 0 Passwarnage 7

These settings require users to change their passwords every 6 months, and will alert users 7 days in advance that the password is about to expire.

If you want to set a different password period for each user, use the chage command. The following command can view a user's password period:

$ sudo chage-l xmodulo

Last password Change:dec, 2013 password Expires:

Never Password inactive:never account expires:

Never Minimum number of days between password change:

0 Maximum number of days between password change:

99999 number of days of warning before password expires:7

By default, the user's password never expires.

The following command modifies the password age for Xmodulo users:

$ sudo chage-e 6/30/2014-m 5-m 90-i 30-w

The above command sets the password period to June 3, 2014. In addition, the minimum period for modifying a password is 5 days, and the maximum period is 90 days. 14 days before the password expires, a message is sent to alert the user that the expired account number will be locked for 30 days.

After setting, the validation effect is as follows: