修改 CentOS 系统中的密码策略

1、修改/etc/login.defs文件
PASS_MAX_DAYS   90  #密码最长过期天数
PASS_MIN_DAYS   0     #密码最小更换天数
PASS_MIN_LEN    10     #密码最小长度
PASS_WARN_AGE   7   #密码过期前提示天数

参考：https://eternalcenter.com/password-policy-centos8rhel8/

2、修改 /etc/pam.d/ 中的 system-auth、password-auth 文件

# Generated by authselect on Wed Feb 12 10:38:46 2020
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
# 密码输入错误次数限制，并限制重试时间
auth        required                                     pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
# 密码输入错误次数限制，并限制重试时间
auth        [default=die]                                pam_faillock.so authfail audit deny=3 unlock_time=300
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so
# 密码输入错误次数限制
account     required                                     pam_faillock.so

# 设置密码复杂度
password    requisite                                    pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=3 enforce_for_root
# 记住5次历史密码，不能重复
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

PAM模块详细学习：https://www.cnblogs.com/kevingrace/p/8671964.html

密码复杂度策略：https://www.cnblogs.com/ye-xin/p/12706296.html

密码错误锁定策略：https://zhuanlan.zhihu.com/p/127109500