Linux PAM设置登录密码复杂性
1. 设置创建用户的默认属性。所以的配置对root用户没有限制。
a. 查看用户的属性
[root@slc4-ra0002pxe159 ~]# chage -l user1
Last password change : Jan 23, 2015
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
b. 用户的密码策略/etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
[root@slc4-ra0002pxe159 ~]# useradd -u 3033 -s /sbin/nologin user3
[root@slc4-ra0002pxe159 ~]# chage -l user3
Last password change : Apr 22, 2015
Password expires : Jul 21, 2015
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
c. 设置了默认规则后,用户输入的密码必须符合设置规则。
[root@slc4-ra0002pxe159 ~]# echo redhat|passwd --stdin user1
Changing password for user user1.
passwd: all authentication tokens updated successfully.
[root@slc4-ra0002pxe159 ~]#
[root@slc4-ra0002pxe159 ~]#
[root@slc4-ra0002pxe159 ~]# su - user1
[user1@slc4-ra0002pxe159 ~]$ passwd
Changing password for user user1.
Changing password for user1.
(current) UNIX password:
New password:
BAD PASSWORD: it is too simplistic/systematic
d. 设置登录后必须更改密码
[root@slc4-ra0002pxe159 ~]# chage -d 0 user1
[root@slc4-ra0002pxe159 ~]# su - user1
[user1@slc4-ra0002pxe159 ~]$ su - user1
Password:
You are required to change your password immediately (root enforced)
Changing password for user1.
(current) UNIX password:
New password:
Retype new password:
2. 通过PAM设置用户账号信息
PAM的动态链接库
# ls /lib64/security
PAM的认证方式配置目录
# ls /etc/pam.d/
PAM帮助手册: /usr/share/doc/pam-1.1/
PAM的只要配置文件:
password-auth: 偏向于控制远程登录。
system-auth: 偏向于本地登录。
设置密码复杂性 - pam_cracklib.so/system-auth文件的配置:
密码中必须有一位大小写字符,数字和特殊符号,同时不能小于8位。
修改:
password requisite pam_cracklib.so retry=3
改为:
password requisite pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
使用pam_unix.so设置密码不能重复使用
password sufficient pam_unix.so existing_options remember=5
使用模块pam_tally2.so设置用户登录失败达3次后,锁定账号1分钟
auth required pam_tally2.so deny=3 unlock_time=60
查看失败次数:
[root@slc4-ra0002pxe159 ~]# pam_tally2
Login Failures Latest failure From
user1 4 04/22/15 15:11:37 server6-9024.phx01.dev.ebayc3.com
解锁账号:
[root@slc4-ra0002pxe159 ~]# pam_tally2 -u user1 --reset
Login Failures Latest failure From
user1 0