linux配置密码过期的安全策略（/etc/login.defs的解读）

长期不更换密码很容易导致密码被破解，而linux的密码过期安全策略主要在/etc/login.defs中配置。

一、/etc/login.defs文件的参数解读

1、/etc/login.defs文件的内容示例

[root@localhost ~]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

2、/etc/login.defs文件的参数解读

MAIL_DIR /var/spool/mail #创建用户时，要在目录/var/spool/mail中创建一个用户mail文件；

PASS_MAX_DAYS 99999

#密码最大有效期，99999表示永不过期。参数PASS_MAX_DAYS为60，表示60天后密码会过期。

PASS_MIN_DAYS 0 #两次修改密码的最小间隔时间，0表示可以随时修改账号密码。

PASS_MIN_LEN 5 #密码最小长度，对于root无效。

PASS_WARN_AGE 7 #密码过期前多少天开始提示，这里是前7天。

UID_MIN 1000 #用户ID最小值

UID_MAX 60000 #用户ID最大值

SYS_UID_MIN 201 #系统用户ID最小值

SYS_UID_MAX 999 #系统用户ID最大值

GID_MIN 1000 #用户组ID最小值

GID_MAX 60000 #用户组ID最大值

SYS_GID_MIN 201 #系统用户组ID最小值

SYS_GID_MAX 999 #系统用户组ID最大值

CREATE_HOME yes #表示是否创建用户home目录，这里创建

UMASK 077 #权限掩码初始化值为077，即---rwxrwx。

USERGROUPS_ENAB yes

#该参数启用，表示userdel删除用户时，如果该用户用户组如果没有成员存在，则会删除该用户组

ENCRYPT_METHOD SHA512 #表示用户密码加密方式，此处表示用MD5加密密码。

二、linux密码过期安全策略的参数配置要求

一般在/etc/login.defs配置以下参数值为：

PASS_MAX_DAYS 90 #密码过期时间为90天

PASS_MIN_DAYS 0 #可以随时修改密码

PASS_WARN_AGE 7 #密码过期前7天开始提示

PASS_MIN_LEN 8 #密码最小长度为8天