redhat 8 密码复杂度设置

redhat 8 密码复杂度设置

Enable securetty PAM module - Red Hat Customer Portal

https://access.redhat.com/solutions/5027331

What is pam_faillock and how to use it in Red Hat Enterprise Linux? - Red Hat Customer Portal

In In Red Hat Enterprise Linux 8, authconfig command is replaced by authselect utility.
We do not recommend you make modifications directly in PAM global files system-auth and password-auth available under /etc/pam.d/` directory.

In Red Hat Enterprise Linux 8 default configuration file for password complexity is /etc/security/pwquality.conf.

修改策略前，先创建用户配置文件
1 authselect list ----------- 查看可用的profile
2 authselect current -------- 查看当前使用的profile
3 authseletc apply-changes -b --backup=sssd.backup ---------- 备份当前使用的profile
4 authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam --------- 创建用户配置文件

Newly created profile will be available at location: /etc/authselect/custom/password-policy/

5

authselect select custom/password-policy
authselect current
-------------- 切换使用创建的profile
6

authselect enable-feature with-mkhomedir
authselect enable-feature with-faillock

authselect enable-feature with-fingerprint

authselect enable-feature with-silent-lastlog

 

authselect disable-feature with-silent-lastlog

With RHEL 8.2 release, pam_faillock can now read settings from faillock.conf configuration file located at /etc/security/faillock.conf. For example:

deny=4
unlock_time=1200
silent
7 Make desired/custom changes in global PAM config files system-auth and password-auth available under custom profile directory /etc/authselect/custom/password-policy/. Once changes are made apply them with command:
authselect apply-changes


Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused).
Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

password requisite pam_pwhistory.so remember=5 use_authtok

 

 

Requirement 2. Enforce root for password complexity.

Insert/append the following option in pam_pwquality.so line under password section in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files:
enforce_for_root
执行生效
authselect apply-changes

For requirements from 3 to 11:
Set appropriate options in the file /etc/security/pwquality.conf.

minlen = 9
dcredit = -1
ucredit = -1
lcredit = 1
ocredit = 1
minclass = 1
maxrepeat = 2
maxclassrepeat = 2
difok = 5