/etc/login.defs
PASS_MAX_DAYS 99999 #密码的最大有效期, 99999:永久有期
PASS_MIN_DAYS 0 #是否可修改密码,0可修改,非0多少天后可修改
PASS_MIN_LEN 5 #密码最小长度,使用pam_cracklib module,该参数不再有效
PASS_WARN_AGE 7 #密码失效前多少天在用户登录时通知用户修改密码
/etc/pam.d/system-auth
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow use_first_pass
password required /lib/security/$ISA/pam_deny.so
修改为
password required pam_passwdqc.so min=disabled,disabled,12,8,7 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow use_first_pass
password required /lib/security/$ISA/pam_deny.so
如何设置PAM模块控制Linux密码策略 (2010-02-21 22:00)
分类: LINUX 学习
我们在使用linux系统设置密码的时候,经常遇到这样的问题,系统提示:您的密码太简单,或者您的密码是字典的一部分。那么系统是如何实现对用户的密码的复杂度的检查的呢?
系统对密码的控制是有两部分(我知道的)组成:
1 cracklib
2 login.defs
声明:login.defs主要是控制密码的有效期。对密码进行时间管理。此处不细谈
login.defs --shadow password suite configuration
pam_cracklib.so 才是控制密码复杂度的关键文件
redhat公司专门开发了cracklib这个安装包来判断密码的复杂度
可以rpm -ql cracklib查看
密码的复杂度的判断是通过pam模块控制来实现的,具体的模块是pam_cracklibpam_cracklib 的参数介绍:
debug
This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password information to the log file).
type=XXX
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word UNIX can be replaced with this option.
retry=N
Prompt user at most N times before returning with error. The default is 1
difok=N
This argument will change the default of 5 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
difignore=N
How many characters should the password have before difok will be ignored. The default is 23.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
(N > 0) This is the minimum number of upper case letters that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for a new password.
use_authtok
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
dictpath=/path/to/dict //注:密码字典,这个是验证用户的密码是否是字典一部分的关键。
Path to the cracklib dictionaries.
cracklib密码强度检测过程
首先检查密码是否是字典的一部分,如果不是,则进行下面的检查
密码强度检测过程
These checks are:
Palindrome
Is the new password a palindrome of the old one?
新密码是否旧密码的回文
Case Change Only
Is the new password the the old one with only a change of case?
新密码是否只是就密码改变了大小写
Similar
Is the new password too much like the old one?
新密码是否和旧密码很相似
This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.
To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.
Simple
Is the new password too small?
新密码是否太短
This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults.
Rotated
Is the new password a rotated version of the old password?
新密码的字符是否是旧密码字符的一个循环
例如旧密码:123
新密码:231
Already used
Was the password used in the past?
这个密码以前是否使用过
Previously used passwords are to be found in /etc/security/opasswd.
那么系统是如何实现这个控制的呢?
在系统的配置文件/etc/pam.d/system-auth 中有这样一行
password requisite pam_cracklib.so try_first_pass retry=3
我们可以根据pam_cracklib的参数这样配置这个pam模块来达到我们想要的目的
password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3 dictpath=/path/to/dict
分享到:
相关推荐
### 如何设置PAM模块控制Linux密码策略 在Linux系统中,为了确保用户账户的安全性,通常会采用一系列措施来加强密码策略。其中,PAM(Pluggable Authentication Modules)模块是一个非常重要的组件,它提供了灵活的...
在 Linux 系统中,我们可以通过修改 `/etc/pam.d/system-auth` 文件来设置密码策略。在该文件中,我们可以添加以下内容: `password requisite pam_cracklib.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1...
本教程将深入探讨如何利用OpenLDAP来管理Linux用户和组,以及实施密码策略。 首先,我们需要理解OpenLDAP的基础概念。OpenLDAP是一个开源实现的LDAP协议服务器,它提供了一个中央存储库,用于存储网络中的用户账户...
服务器平台密码策略管理是指对Windows和Linux服务器平台进行密码策略管理,以确保服务器的安全和可靠性。本文将对Windows和Linux服务器平台的密码策略管理进行详细的介绍。 一、Windows服务器平台密码策略管理 在...
4. **密码策略** - 密码复杂度:Linux系统可以通过`pam_cracklib`模块设置密码复杂度规则,比如最小长度、必须包含特殊字符等。 - 密码过期:`/etc/login.defs`文件可以配置密码过期策略,如最小生存期、最大生存...
4. **错误处理**:在脚本中添加错误处理机制,例如,如果连接失败、密码格式错误或者权限不足,脚本应有相应的反馈和处理策略。 5. **循环处理IP列表**:在描述中提到的IP列表,可能是脚本读取的一个文件,其中每一...
"Linux系统密码策略设置" Linux系统密码策略设置是为了提高系统安全性和保护用户账户安全的一种机制。该机制通过PAM(Pluggable Authentication Modules)认证机制来实现密码策略的设置。 PAM是由Sun提出的一种...
此外,PAM(可插入认证模块)在Linux密码安全管理中扮演着重要角色。PAM允许灵活地添加和管理不同的认证方式,提供了动态控制认证过程的能力。通过安装新模块并修改PAM配置,即可启用新的认证方法。PAM的配置文件...
强制实施强密码策略,要求用户使用复杂且长度足够的密码,并定期更换。启用PAM(Pluggable Authentication Modules)以实现更灵活的认证策略,考虑使用密钥对认证,如SSH密钥。 文件系统权限应当严谨。使用`chmod`...
总结来说,解决Linux中修改不了密码的问题通常需要检查密码策略、文件权限、系统资源(如inode)以及文件的特殊属性。通过上述步骤,大多数情况下可以成功地解决密码修改的障碍。在日常系统管理中,定期检查和优化...
请注意,保持强密码和定期更换密码是提高系统安全性的基本策略。强烈建议使用复杂且难以猜测的密码,并确保不同服务的密码不相同,以降低被破解的风险。同时,对于远程访问,启用双因素认证(如SSH密钥对)将进一步...
### 修改Linux下root的密码 在Linux系统管理中,root账户拥有最高权限,因此妥善保管root密码至关重要。...此外,为了避免未来再次发生类似问题,建议定期更换root密码,并采用复杂的密码策略以提高安全性。
### 知识点一:Linux密码策略与加固 #### 密码策略配置文件 - **配置文件路径**:`/etc/login.defs` - `PASS_MAX_DAYS`:定义密码的有效期限,即密码最长可以使用多少天。 - `PASS_MIN_DAYS`:设定密码更改的最短...
### 理解Red Hat Linux密码机制 在深入探讨密码恢复方法之前,首先需要理解Red Hat Linux中的密码存储和验证机制。Linux系统中的用户密码并不以明文形式存储,而是经过加密处理后保存在`/etc/shadow`文件中。这意味...
这可能包括设置访问控制列表(ACL)、启用防火墙、限制不必要的服务和端口,以及实施强密码策略。此外,使用 SELinux 或 AppArmor 等强制访问控制(MAC)系统可以进一步增强系统安全。开机配置则包括启动时的安全...
在Linux操作系统中,忘记用户密码可能会导致无法正常访问系统,但是Linux提供了一些方法来解决这个问题。本教程将详细介绍如何在...在日常管理中,记住密码,定期更新,并使用强密码策略是保障系统安全的重要措施。