Shulou(Shulou.com)06/01 Report--

Here is the explanation obtained through the man pam_cracklib view

A password policy that the PAM_CRACKLIB module can do:

1. Palindromes restriction

two。 Limit the number of characters

3. Character type restriction

4. Repetition character limit

5. Limit the number of duplicate characters in new and old passwords

6. Memory of similarity between new password and old password

7. The last few passwords in memory cannot be repeated with the old password.

Authtok_type=XXX

The default action is for the module to use the following prompts when requesting passwords: "New UNIX password:" and "Retype UNIX password:"

The example word UNIX can be replaced with this option, by default it is empty.

Default prompt when entering a new password

Difok=N

This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.

This parameter will change the default setting of 5 characters for the new password, which is different from the old password.

Maxrepeat=N

Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.

Reject contains more than N consecutive identical characters. the default is 0, which means no check

Maxsequence=N

Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are 12345

Or fedcb. Note that most such passwords will not pass the

Simplicity check unless the sequence is only a minor part of the password.

The reject password contains a sequence of simple characters greater than N. do not check by default, note that most passwords will not pass the simplicity check unless the sequence is a minor part of the password

Dictpath=/path/to/dict

Path to the cracklib dictionaries.

Two examples of reporting errors

If it is the same as the one used before, it will report an error:

Password has been already used. Choose another.

If the new password is the same as the old password, it will prompt:

Password unchanged

If the similarity between the new password and the old password is too high, it will prompt:

Is too similar to the old one

If the complexity of the setting is not enough, it will prompt:

BAD PASSWORD: it is too short

If it is, for example, if the password is set with consecutive characters, it will prompt:

BAD PASSWORD: it is too simplistic/systematic

If the password exceeds the repeating character limit:

BAD PASSWORD: contains too many same characters consecutively

Three configuration examples

Password requisite / lib64/security/pam_cracklib.so try_first_pass retry=3 difok=3

Authtok_type=you_must_enter_at_least_3_charactors type= minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 dictpath=/usr/share/cracklib/pw_dict

Password sufficient / lib64/security/pam_unix.so try_first_pass use_authtok nullok sha512 shadow remember=3

Control identifier explanation:

Optional The module is required for authentication if it is the only module listed

For a service.

Required The module must succeed for access to be granted. PAM continues

To execute the remaining modules in the stack whether the module

Succeeds or fails. PAM does not immediately inform the user of the

Failure.

Requisite The module must succeed for access to be granted. If the module

Succeeds, PAM continues to execute the remaining modules in the

Stack. However, if the module fails, PAM notifies the user immediately

And does not continue to execute the remaining modules in the stack.

Sufficient If the module succeeds, PAM does not process any remaining modules

Of the same operation type. If the module fails, PAM processes the

Remaining modules of the same operation type to determine overall

Success or failure.

Four passwords expired

/ etc/login.defs file, you can set the validity period of the current password, if you want to set a different period for each user separately, use the chage command.

Five general password policies

Password must meetthe following complexity requirements:

-Enforce password history: 5 passwords remembered

-Maximum password age: 90 days

-Not contain the user's account name or parts of the user's full name thatexceed two consecutive characters

-Be at least 7 characters in length

-Contain characters from three of the following four categories:

1. English uppercase characters (A through Z)

2. English lowercase characters (a through z)

3. Base 10 digits (0 through 9)

4. Non-alphabetic characters (for example,!, $#,%)

Complexity requirements are enforced when passwords are changed or created

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.