Shulou(Shulou.com)06/01 Report--

This article will explain in detail how linux implements account password security reinforcement. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Linux user password Policy

The validity period of Linux user password and whether the password can be changed can be controlled by login.defs file. The modification of the login.defs file only affects the later established users. If you want to change the validity period of the previously established users, you can use the chage command.

The complexity of Linux users' passwords can be controlled by pam pam_cracklib module or pam_passwdqc module, but not both. Personally, I think pam_passwdqc is easier to use.

/ etc/login.defs password policy

Maximum validity of PASS_MAX_DAYS 99999 # password, 99999: permanent

Whether the password of PASS_MIN_DAYS 0 # can be changed, 0 can be changed, and if not 0, it can be changed in a few days.

Minimum length of PASS_MIN_LEN 5 # password. Using pam_cracklib module, this parameter is no longer valid.

How many days before the PASS_WARN_AGE 7 # password expires, notify the user to change the password when the user logs in

Description of the main parameters of pam_cracklib:

Tretry=N: a password modification error is returned after many retries

Difok=N: the new password must have a different number of digits from the old password

Dcredit=N: n > = 0: the maximum number of digits in the password; N

< 0密码中最少有多少个数字. lcredit=N:小宝字母的个数 ucredit=N大宝字母的个数 credit=N:特殊字母的个数 minclass=N:密码组成(大/小字母,数字,特殊字符) pam_passwdqc主要参数说明: mix:设置口令字最小长度，默认值是mix=disabled。 max:设置口令字的最大长度，默认值是max=40。 passphrase:设置口令短语中单词的最少个数，默认值是passphrase=3，如果为0则禁用口令短语。 atch:设置密码串的常见程序，默认值是match=4。 similar:设置当我们重设口令时，重新设置的新口令能否与旧口令相似，它可以是similar=permit允许相似或similar=deny不允许相似。 random:设置随机生成口令字的默认长度。默认值是random=42。设为0则禁止该功能。 enforce:设置约束范围，enforce=none表示只警告弱口令字，但不禁止它们使用；enforce=users将对系统上的全体非根用户实行这一限制；enforce=everyone将对包括根用户在内的全体用户实行这一限制。 non-unix:它告诉这个模块不要使用传统的getpwnam函数调用获得用户信息， retry:设置用户输入口令字时允许重试的次数，默认值是retry=3 密码复杂度通过/etc/pam.d/system-auth实施 如: 要使用pam_cracklib将注释去掉,把pam_passwdqc.so注释掉即可. #password requisite /lib/security/$ISA/pam_cracklib.so retry=3 difok=1 password requisite /lib/security/$ISA/pam_passwdqc.so min=disabled,24,12,8,7 passphrase=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow #password requisite /lib/security/$ISA/pam_cracklib.so retry=3 difok=1 新密码至少有一位与原来的不同. 加策略： 1、Linux系统的用户帐号策略 编辑/etc/pam.d/system-auth 添加如下语句。 auth required /lib/security/$ISA/pam_tally.so deny=5 account required pam_tally.so 该语句的解释：密码最大联系登录6次，超过只能联系管理员。 2、密码策略 2.1编辑/etc/login.defs 指定如下参数的值。 PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7 参数值得解释： PASS_MAX_DAYS（设置密码过期日期） PASS_MIN_DAYS(设置密码最少更改日期） PASS_MIN_LEN(设置密码最小长度）时指密码设置的最小长度，一般定义为8位以上 PASS_WARN_AGE(设置过期提前警告天数） 2.2 设置账户锁定登陆失败锁定次数、锁定时间 编辑/etc/pam.d/system- auth 首先 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak #vi /etc/pam.d/system-auth auth required pam_tally.so onerr=fail deny=6 unlock_time=300 解释：设置位密码连续六次锁定，锁定时间300秒 解锁用户 faillog -u = 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. 　　(N < 0) This is the minimum number of digits that must be met for a new password. 　　ucredit=N 　　(N >

= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count + 1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.

(n > 0) This is the minimum number of upper case letters that must be met for a new password.

Lcredit=N

(n > 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count + 1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.

(n

< 0) This is the minimum number of lower case letters that must be met for a new password. 　　ocredit=N 　　(N >

= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count + 1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.

(n < 0) This is the minimum number of other characters that must be met for a new password.

Use_authtok

This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.

Dictpath=/path/to/dict

Path to the cracklib dictionaries.

Dictpath=/path/to/dict / Note: password dictionary, which is the key to verifying whether a user's password is part of the dictionary.

Path to the cracklib dictionaries.

Cracklib password strength testing process

First check whether the password is part of the dictionary, and if not, do the following check

Password strength detection process

These checks are:

Palindrome

Is the new password a palindrome of the old one?

Whether the new password is a palindrome of the old password

Case Change Only

Is the new password the the old one with only a change of case?

Does the new password just change the case of the password?

Similar

Is the new password too much like the old one?

Is the new password similar to the old one?

This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.

To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.

Simple

Is the new password too small?

Is the new password too short?

This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults.

Rotated

Is the new password a rotated version of the old password?

Whether the characters of the new password

This is the end of the article on "how to secure your account password with linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.