Shulou(Shulou.com)06/01 Report--

How to set complex password policy in Linux system. In view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. preparatory work

Install PAM's cracklib module, cracklib can provide additional password checking capabilities.

On Debian, Ubuntu, or Linux Mint systems:

The code is as follows:

$sudo apt-get install libpam-cracklib

The cracklib PAM module is installed by default on CentOS, Fedora, and RHEL systems, so there is no need to do this on these systems.

To enforce the password policy, we need to modify the PAM configuration file in the / etc/pam.d directory. Once modified, the policy will take effect immediately.

Note: the password policy in this tutorial is valid only for non-root users, not for root users.

II. Prohibition of the use of old passwords

Find the line with both "password" and "pam_unix.so" fields and appended with "remember=5", which prohibits the use of the five most recently used passwords (passwords that have been used will be saved under / etc/security/opasswd).

On Debian, Ubuntu, or Linux Mint systems:

The code is as follows:

$sudo vi / etc/pam.d/common-password

Password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5

On CentOS, Fedora, RHEL systems:

The code is as follows:

$sudo vi / etc/pam.d/system-auth

Password sufficient pamunix.so sha512 shadow nullok tryfirstpass useauthtok remember=5

3. Set the minimum password length

Find the line with both "password" and "pam_cracklib.so" fields and appended with "minlen=10", which indicates that the minimum password length is (10-type number). The "number of types" here represents the number of different character types. PAM provides four types of symbols as passwords (uppercase letters, lowercase letters, numbers, and punctuation). If your password uses all four types of symbols at the same time, and your minlen is set to 10, the shortest password length is allowed to be 6 characters.

On Debian, Ubuntu, or Linux Mint systems:

The code is as follows:

$sudo vi / etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3

On CentOS, Fedora, RHEL systems:

The code is as follows:

$sudo vi / etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10

Fourth, set password complexity

Find the line with both "password" and "pam_cracklib.so" fields and appended with "ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1", which indicates that the password must contain at least one uppercase letter (ucredit), two lowercase letters (lcredit), a number (dcredit), and a punctuation mark (ocredit).

On Debian, Ubuntu, or Linux Mint systems:

The code is as follows:

$sudo vi / etc/pam.d/common-password

Password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

On CentOS, Fedora, RHEL systems:

The code is as follows:

$sudo vi / etc/pam.d/system-auth

Password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

5. Set the expiration period of password

Edit the / etc/login.defs file to set the validity period of the current password, as shown in the following variables:

The code is as follows:

$sudo vi / etc/login.defs

PASSMAXDAYS 150 PASSMINDAYS 0 PASSWARNAGE 7

These settings require users to change their passwords every six months and remind users that their passwords are about to expire seven days in advance.

If you want to set a different password expiration for each user, use the chage command. The following command can view the password expiration date for a user:

The code is as follows:

$sudo chage-l xmodulo

Last password change: Dec 30, 2013 Password expires:

Never Password inactive: never Account expires:

Never Minimum number of days between password change:

0 Maximum number of days between password change:

99999 Number of days of warning before password expires: 7

By default, the user's password never expires.

The following command is used to change the password duration of the xmodulo user:

The code is as follows:

$sudo chage-E 6amp 30 xmodulo 2014-m 5-M 90-I 30-W 14

The above order sets the password expiration date to June 3, 2014. In addition, the shortest period of password modification is 5 days, and the longest period is 90 days. 14 days before the password expires, a message will be sent to remind the user that the account will be locked for 30 days after the expiration.

After the setting is completed, the verification effect is as follows:

This is the answer to the question about how to set the complex password policy in the Linux system. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.