Linux User Password Policy test

1, Linux Normal user default password policy:

Using passwd to modify a user's password, it is often suggested that "bad Password:it was based on a dictionary word". In fact, the password authentication mechanism required by Linux is to specify the minimum number of characters in/etc/login.defs, and also to be limited by/ETC/PAM.D/PASSWD. However, under the root user how to set all can, can not be constrained by the authentication mechanism, even if out "bad Password:it is based on a dictionary word" can also be modified successfully.

But ordinary users to modify their own password, if it does not conform to the password verification mechanism, the modification is unsuccessful, there will be various errors.

"Bad Password:it's way to Too short", this is the report password is too small, does not conform to/etc/login.defs settings;

"Bad Password:it are based on your username", this is the password and account cannot have the same name, which is not in accordance with the/ETC/PAM.D/PASSWD settings;

"Bad Password:it was based on a dictionary word" because the string in the dictionary appears.

How do you get rid of the restrictions?

1. Vi/etc/pam.d/system-auth as root.

2. Look for the following and the lines:

Password requisite pam_cracklib.so try_first_pass retry=3
Password sufficient pam_unix.so MD5 shadow Nullok try_first_pass Use_authtok

3. Comment out the first of the lines:
#password Requisite pam_cracklib.so Try_first_pass retry=3

4. Remove Use_authtok on the second line. Otherwise you'll get "passwd:authentication information cannot be recovered" error.
Password sufficient pam_unix.so MD5 shadow Nullok Try_first_pass

5. That ' s it. Try changing your password again.

When only the 3rd step, pam_cracklib.so password complexity does not check, but Use_authtok still work, will cause all cannot change password, then will come out the following error:

Passwd:authentication Token manipulation Error

The password complexity is not checked as per the above, but the average user is still limited to the minimum password length of the pam_cracklib.

Simple
Is the new password too small? This was controlled by 6 arguments Minlen, maxclassrepeat, Dcredit, Ucredit,lcredit, and Ocredit.

2, change the password for ordinary users, increase password security:

Modify/etc/pam.d/system-auth

Password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enfo Rce_for_root

Where Enforce_for_root is mandatory administrator modification, if none, administrator modification unrestricted

The pam_cracklib.so module, which has enforce_for_root in the CENTOS6 version, is not available in version 5 and can be used pam_passwdqc.so

3. Using pam_passwdqc.so module

          password    requisite  pam_passwdqc.so  enforce=everyone

Independent of the Pam_cracklib module, set the password security separately.

This article is from the "Autumn Fairy tale" blog, please be sure to keep this source http://wushank.blog.51cto.com/3489095/1662663

Linux User Password Policy test