Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to set password complexity in Linux. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

In most Linux systems, we can use PAM (pluggable authentication module pluggable authentication module) to strengthen the password policy. You can find this file in the path below.

In the Red Hat series of systems, the path: / etc/pam.d/system-auth.

In the system of Debian series, the path is / etc/pam.d/common-password.

For the default password expiration, you can view the details in the / etc/login.defs file.

To better understand, I extracted some of the contents of the document:

# vi / etc/login.defs PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 5PASS_WARN_AGE 7

Detailed explanation:

PASS_MAX_DAYS: the maximum number of days a password can be used.

PASS_MIN_DAYS: the minimum number of days between password changes.

PASS_MIN_LEN: minimum password length.

PASS_WARN_AGE: the number of days before the password expires.

We will show how to implement the following 11 password policies in Linux.

The maximum number of days a password can be used

Minimum number of days between two password changes

Number of days before the password expires to give a warning

Password History / refuse to reuse password

Minimum password length

Minimum number of uppercase letters

Minimum number of lowercase letters

The least number of digits

The minimum number of other characters (symbols)

Account locked-retry

Account unlocking time

What is the maximum number of days a password can be used?

This parameter limits the maximum number of days a password can be used. It forces the user to change his / her password before expiration. If they forget to modify it, they will not be able to log in to the system. They need to contact the administrator to log in normally. This parameter can be set in the / etc/login.defs file. I set this parameter to 90 days.

What is the minimum number of days for # vi / etc/login.defs PASS_MAX_DAYS 90 passwords?

This parameter limits the minimum number of days between modifications. For example, if this parameter is set to 15 days and the user changes the password today, he will not be able to change the password for 15 days. This parameter can be set in the / etc/login.defs file. I set it for 15 days.

# what is the number of days of vi / etc/login.defs PASS_MIN_DAYS 15 password warning?

This parameter controls the number of days ahead of the password warning and gives the user a warning when the password is about to expire. Before the end of the warning days, the user receives a daily warning prompt. This reminds users to change their passwords before they expire, otherwise we need to contact the administrator to unlock them. This parameter can be set in the / etc/login.defs file. I set it to 10 days.

# vi / etc/login.defs PASS_WARN_AGE 10

Note: all the above parameters are valid only for new accounts, not for existing accounts.

What is password history or refusal to reuse passwords?

This parameter controls the password history. It records the passwords that have been used (the number of passwords that have been banned). When a user sets a new password, it checks the password history and issues a warning if the password they want to set is an old password that has been used. This parameter can be set in the / etc/pam.d/system-auth file. I set the password history to 5.

# what is the minimum length of the vi / etc/pam.d/system-auth password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password?

This parameter represents the minimum length of the password. When the user sets a new password, the system checks this parameter and receives a warning if the length of the new password is less than the value set by this parameter. This parameter can be set in the / etc/pam.d/system-auth file. I set the minimum password length to 12.

# vi / etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 minlen=12

Try_first_pass retry=3: in the password setting interface, users have 3 opportunities to reset their passwords.

Set the minimum number of uppercase letters?

This parameter represents at least the number of uppercase letters required in the password. These are password strength parameters that can make passwords more robust. When the user sets a new password, the system checks this parameter and receives a warning if there are no uppercase letters in the password. This parameter can be set in the / etc/pam.d/system-auth file. I set the minimum length of the password (uppercase letters in) to 1 letter.

# vi / etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 ucredit=-1 set the minimum number of lowercase letters?

This parameter represents at least the number of lowercase letters required in the password. These are password strength parameters that can make passwords more robust. When the user sets a new password, the system checks this parameter and receives a warning if there are no lowercase letters in the password. This parameter can be set in the / etc/pam.d/system-auth file. I set it to 1 letter.

# vi / etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-1 set the minimum number of digits in the password?

This parameter represents the number of at least the required digits in the password. These are password strength parameters that can make passwords more robust. When the user sets a new password, the system checks this parameter and receives a warning if there is no number in the password. This parameter can be set in the / etc/pam.d/system-auth file. I set it to 1 number.

# vi / etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 sets the minimum number of other characters (symbols) in the password?

This parameter represents at least the number of special symbols needed in the password. These are password strength parameters that can make passwords more robust. When the user sets a new password, the system checks this parameter and receives a warning if there is no special symbol in the password. This parameter can be set in the / etc/pam.d/system-auth file. I set it to 1 character.

# vi / etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 ocredit=-1 set account locking?

This parameter controls the maximum number of consecutive login failures for the user. When the set threshold of consecutive failed logins is reached, the account is locked. This parameter can be set in the / etc/pam.d/system-auth file.

# vi / etc/pam.d/system-auth auth required pam_tally2.so onerr=fail audit silent deny=5account required pam_tally2.so set the time for account unlocking?

This parameter indicates the time the user unlocked. If a user account is locked after successive authentication failures, it will not be unlocked until the set unlocking time has elapsed. Set the unlocking time of the locked account (900 seconds = 15 minutes). This parameter can be set in the / etc/pam.d/system-auth file.

The above # vi / etc/pam.d/system-auth auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900account required pam_tally2.so is how to set password complexity in Linux. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.