Shulou(Shulou.com)06/01 Report--

This article is about how to set password policy in Linux system. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Prepare to install PAM's cracklib module, cracklib can provide additional password checking capabilities.

On Debian, Ubuntu, or Linux Mint systems:

$sudo apt-get install libpam-cracklib

The cracklib PAM module is installed by default on CentOS, Fedora, and RHEL systems, so there is no need to do this on these systems.

To enforce the password policy, we need to modify the PAM configuration file in the / etc/pam.d directory. Once modified, the policy will take effect immediately.

Note: the password policy in this tutorial is valid only for non-root users, not for root users.

Do not use the old password to find the line with both "password" and "pam_unix.so" fields and append "remember=5", which prohibits the use of the last 5 passwords (passwords that have been used will be saved under / etc/security/opasswd).

On Debian, Ubuntu, or Linux Mint systems:

$sudo vi / etc/pam.d/common-password

Password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5

On CentOS, Fedora, RHEL systems:

$sudo vi / etc/pam.d/system-auth

Password sufficient pamunix.so sha512 shadow nullok tryfirstpass useauthtok remember=5

Set the minimum password length to find the line with both "password" and "pam_cracklib.so" fields and appended with "minlen=10", which indicates that the minimum password length is (10-type number). The "number of types" here represents the number of different character types. PAM provides four types of symbols as passwords (uppercase letters, lowercase letters, numbers, and punctuation). If your password uses all four types of symbols at the same time, and your minlen is set to 10, the shortest password length is allowed to be 6 characters.

On Debian, Ubuntu, or Linux Mint systems:

$sudo vi / etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3

On CentOS, Fedora, RHEL systems:

$sudo vi / etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10

Set the password complexity to find the line with both "password" and "pam_cracklib.so" fields and appended with "ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1", which indicates that the password must contain at least one uppercase letter (ucredit), two lowercase letters (lcredit), a number (dcredit), and a punctuation mark (ocredit).

On Debian, Ubuntu, or Linux Mint systems:

$sudo vi / etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

On CentOS, Fedora, RHEL systems:

$sudo vi / etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

To set the password expiration date edit / etc/login.defs file, you can set the validity period of the current password. The specific variables are as follows:

$sudo vi / etc/login.defs

PASSMAXDAYS 150 PASSMINDAYS 0 PASSWARNAGE 7

These settings require users to change their passwords every six months and remind users that their passwords are about to expire seven days in advance.

If you want to set a different password expiration for each user, use the chage command. The following command can view the password expiration date for a user:

$sudo chage-l xmodulo

Last password change: Dec 30, 2013 Password expires: never Password inactive: never Account expires: never Minimum number of days between password change: 0 Maximum number of days between password change: 99999 Number of days of warning before password expires: 7

By default, the user's password never expires.

The following command is used to change the password duration of the xmodulo user:

$sudo chage-E 6amp 30 xmodulo 2014-m 5-M 90-I 30-W 14

The above order sets the password expiration date to June 3, 2014. In addition, the shortest period of password modification is 5 days, and the longest period is 90 days. 14 days before the password expires, a message will be sent to remind the user that the account will be locked for 30 days after the expiration.

Thank you for reading! This is the end of the article on "how to set password policy in Linux system". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.