# 帐户口令
- [帐户口令](#帐户口令)
- [屏蔽系统帐户](#屏蔽系统帐户)
- [限制使用su命令的帐户](#限制使用su命令的帐户)
- [设置口令复杂度](#设置口令复杂度)
- [设置口令有效期](#设置口令有效期)
- [设置口令的加密算法](#设置口令的加密算法)
- [登录失败超过三次后锁定](#登录失败超过三次后锁定)
- [加固su命令](#加固su命令)
## 屏蔽系统帐户
### 说明
除了用户帐户外,其他帐号称为系统帐户。系统帐户仅系统内部使用,禁止用于登录系统或其他操作,因此屏蔽系统帐户。
### 实现
将系统帐户的Shell修改为/sbin/nologin。
```
usermod -L -s /sbin/nologin $systemaccount
```
> **说明:**
> $systemaccount 指系统帐户。
## 限制使用su命令的帐户
### 说明
su命令用于在不同帐户之间切换。为了增强系统安全性,有必要对su命令的使用权进行控制,只允许root和wheel群组的帐户使用su命令,限制其他帐户使用。
### 实现
su命令的使用控制通过修改/etc/pam.d/su文件实现,配置如下:
```
auth required pam_wheel.so use_uid
```
**表 1** pam\_wheel.so配置项说明
<a name="zh-cn_topic_0152100407_tf55aaab642874a94a4f0eacb7895b1b8"></a>
<table><thead align="left"><tr id="zh-cn_topic_0152100407_rf154f262c0e244db9934b613e42bcfca"><th class="cellrowborder" valign="top" width="50%" id="mcps1.2.3.1.1"><p id="zh-cn_topic_0152100407_a2c22bb6b55ec4d2fa8e67f585f77bd00"><a name="zh-cn_topic_0152100407_a2c22bb6b55ec4d2fa8e67f585f77bd00"></a><a name="zh-cn_topic_0152100407_a2c22bb6b55ec4d2fa8e67f585f77bd00"></a><strong id="zh-cn_topic_0152100407_a40464afab7b54cb294baa10754800a63"><a name="zh-cn_topic_0152100407_a40464afab7b54cb294baa10754800a63"></a><a name="zh-cn_topic_0152100407_a40464afab7b54cb294baa10754800a63"></a>配置项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="50%" id="mcps1.2.3.1.2"><p id="zh-cn_topic_0152100407_ab327bc2f820a4a47999edd01015e5205"><a name="zh-cn_topic_0152100407_ab327bc2f820a4a47999edd01015e5205"></a><a name="zh-cn_topic_0152100407_ab327bc2f820a4a47999edd01015e5205"></a><strong id="zh-cn_topic_0152100407_ab7a5363dbe0c40bb84b26c2a6c72a56a"><a name="zh-cn_topic_0152100407_ab7a5363dbe0c40bb84b26c2a6c72a56a"></a><a name="zh-cn_topic_0152100407_ab7a5363dbe0c40bb84b26c2a6c72a56a"></a>说明</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="zh-cn_topic_0152100407_rb27893de849147aebae7d108210aa01a"><td class="cellrowborder" valign="top" width="50%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100407_a61109f515d4745efafbc6defc8096d44"><a name="zh-cn_topic_0152100407_a61109f515d4745efafbc6defc8096d44"></a><a name="zh-cn_topic_0152100407_a61109f515d4745efafbc6defc8096d44"></a>use_uid</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100407_a8a42e9fe9c9749bf9de0e3b38f27bb74"><a name="zh-cn_topic_0152100407_a8a42e9fe9c9749bf9de0e3b38f27bb74"></a><a name="zh-cn_topic_0152100407_a8a42e9fe9c9749bf9de0e3b38f27bb74"></a>基于当前帐户的uid。</p>
</td>
</tr>
</tbody>
</table>
## 设置口令复杂度
### 说明
用户可以通过修改对应配置文件设置口令的复杂度,建议用户根据实际情况设置口令复杂度。
### 实现
口令复杂度通过/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中的pam\_pwquality.so和pam\_pwhistory.so模块实现。用户可以通过修改这两个模块中的配置项修改口令复杂度。
### 设置举例
这里给出一个配置口令复杂度的例子,供用户参考。
**密码复杂度要求**
1. 口令长度至少8个字符。
2. 口令必须包含如下至少3种字符的组合:
-至少一个小写字母
-至少一个大写字母
-至少一个数字
-至少一个特殊字符:\`\~!@\#$%^&\*\(\)-\_=+\\|\[\{\}\];:'",<.\>/?和空格
3. 口令不能和帐号或者帐号的倒写一样。
4. 不能修改为过去5次使用过的旧口令。
**配置实现**
在/etc/pam.d/password-auth和/etc/pam.d/system-auth文件中password配置项的前两行添加如下配置内容:
```
password requisite pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0
password required pam_pwhistory.so use_authtok remember=5 enforce_for_root
```
**配置项说明**
pam\_pwquality.so和pam\_pwhistory.so的配置项请分别参见[表2](#table201221044172117)和[表3](#table1212544452120)。
**表 2** pam\_pwquality.so配置项说明
<a name="table201221044172117"></a>
<table><thead align="left"><tr id="row18122244142118"><th class="cellrowborder" valign="top" width="23.03%" id="mcps1.2.3.1.1"><p id="p1012384412211"><a name="p1012384412211"></a><a name="p1012384412211"></a><strong id="b8123144462118"><a name="b8123144462118"></a><a name="b8123144462118"></a>配置项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="76.97%" id="mcps1.2.3.1.2"><p id="p712317444217"><a name="p712317444217"></a><a name="p712317444217"></a><strong id="b31233449214"><a name="b31233449214"></a><a name="b31233449214"></a>说明</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="row1912374413212"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p81231744152113"><a name="p81231744152113"></a><a name="p81231744152113"></a>minlen=8</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p81235448219"><a name="p81235448219"></a><a name="p81235448219"></a>口令长度至少包含8个字符。</p>
</td>
</tr>
<tr id="row14123644132119"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p512334410219"><a name="p512334410219"></a><a name="p512334410219"></a>minclass=3</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p12123844102114"><a name="p12123844102114"></a><a name="p12123844102114"></a>口令至少包含大写字母、小写字母、数字和特殊字符中的任意3种。</p>
</td>
</tr>
<tr id="row412354416211"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p101231844102115"><a name="p101231844102115"></a><a name="p101231844102115"></a>ucredit=0</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p2123184472115"><a name="p2123184472115"></a><a name="p2123184472115"></a>口令包含任意个大写字母。</p>
</td>
</tr>
<tr id="row17123154410212"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p11124154418214"><a name="p11124154418214"></a><a name="p11124154418214"></a>lcredit=0</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p9124174412217"><a name="p9124174412217"></a><a name="p9124174412217"></a>口令包含任意个小写字母。</p>
</td>
</tr>
<tr id="row13124144419211"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p20124204411217"><a name="p20124204411217"></a><a name="p20124204411217"></a>dcredit=0</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p1412412445217"><a name="p1412412445217"></a><a name="p1412412445217"></a>口令包含任意个数字。</p>
</td>
</tr>
<tr id="row1612444402116"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p111245446214"><a name="p111245446214"></a><a name="p111245446214"></a>ocredit=0</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p1124344202119"><a name="p1124344202119"></a><a name="p1124344202119"></a>口令包含任意个特殊字符。</p>
</td>
</tr>
<tr id="row18124154411213"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p20124194462113"><a name="p20124194462113"></a><a name="p20124194462113"></a>retry=3</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p1112424414210"><a name="p1112424414210"></a><a name="p1112424414210"></a>每次修改最多可以尝试3次。</p>
</td>
</tr>
<tr id="row4124164416212"><td class="cellrowborder" valign="top" width="23.03%" headers="mcps1.2.3.1.1 "><p id="p12125124418218"><a name="p12125124418218"></a><a name="p12125124418218"></a>enforce_for_root</p>
</td>
<td class="cellrowborder" valign="top" width="76.97%" headers="mcps1.2.3.1.2 "><p id="p17125204411212"><a name="p17125204411212"></a><a name="p17125204411212"></a>本设置对root帐户同样有效。</p>
</td>
</tr>
</tbody>
</table>
**表 3** pam\_pwhistory.so配置项说明
<a name="table1212544452120"></a>
<table><thead align="left"><tr id="row412684402113"><th class="cellrowborder" valign="top" width="44.79%" id="mcps1.2.3.1.1"><p id="p141261944192114"><a name="p141261944192114"></a><a name="p141261944192114"></a><strong id="b1212654452115"><a name="b1212654452115"></a><a name="b1212654452115"></a>配置项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="55.21%" id="mcps1.2.3.1.2"><p id="p1212614417216"><a name="p1212614417216"></a><a name="p1212614417216"></a><strong id="b1412664419211"><a name="b1412664419211"></a><a name="b1412664419211"></a>说明</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="row112712446212"><td class="cellrowborder" valign="top" width="44.79%" headers="mcps1.2.3.1.1 "><p id="p13127104492113"><a name="p13127104492113"></a><a name="p13127104492113"></a>remember=5</p>
</td>
<td class="cellrowborder" valign="top" width="55.21%" headers="mcps1.2.3.1.2 "><p id="p15127174452115"><a name="p15127174452115"></a><a name="p15127174452115"></a>口令不能修改为过去5次使用过的旧口令</p>
</td>
</tr>
<tr id="row17127174442113"><td class="cellrowborder" valign="top" width="44.79%" headers="mcps1.2.3.1.1 "><p id="p1612744442116"><a name="p1612744442116"></a><a name="p1612744442116"></a>enforce_for_root</p>
</td>
<td class="cellrowborder" valign="top" width="55.21%" headers="mcps1.2.3.1.2 "><p id="p1712714418213"><a name="p1712714418213"></a><a name="p1712714418213"></a>本设置对root帐户同样有效</p>
</td>
</tr>
</tbody>
</table>
## 设置口令有效期
### 说明
出于系统安全性考虑,建议设置口令有效期限,且口令到期前通知用户更改口令。
### 实现
口令有效期的设置通过修改/etc/login.defs文件实现,加固项如[表4](#zh-cn_topic_0152100281_t77b5d0753721450c81911c18b74e82eb)所示。表中所有的加固项都在文件/etc/login.defs中。表中字段直接通过修改配置文件完成。
**表 4** login.defs配置项说明所示
<a name="zh-cn_topic_0152100281_t77b5d0753721450c81911c18b74e82eb"></a>
<table><thead align="left"><tr id="zh-cn_topic_0152100281_r3df3f3ed1b0a40718c7e8a0f4a4846fc"><th class="cellrowborder" valign="top" width="25.737426257374263%" id="mcps1.2.5.1.1"><p id="zh-cn_topic_0152100281_aeb399d5a434846a39fed2122dfa77569"><a name="zh-cn_topic_0152100281_aeb399d5a434846a39fed2122dfa77569"></a><a name="zh-cn_topic_0152100281_aeb399d5a434846a39fed2122dfa77569"></a><strong id="zh-cn_topic_0152100281_a17d14b51caa7410f8442443d0fb8de13"><a name="zh-cn_topic_0152100281_a17d14b51caa7410f8442443d0fb8de13"></a><a name="zh-cn_topic_0152100281_a17d14b51caa7410f8442443d0fb8de13"></a>加固项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="24.517548245175483%" id="mcps1.2.5.1.2"><p id="p91918303171"><a name="p91918303171"></a><a name="p91918303171"></a><strong id="b15975182215192"><a name="b15975182215192"></a><a name="b15975182215192"></a>加固项说明</strong></p>
</th>
<th class="cellrowborder" valign="top" width="15.718428157184283%" id="mcps1.2.5.1.3"><p id="p156742110189"><a name="p156742110189"></a><a name="p156742110189"></a><strong id="b129807225192"><a name="b129807225192"></a><a name="b129807225192"></a>建议加固</strong></p>
</th>
<th class="cellrowborder" valign="top" width="34.02659734026597%" id="mcps1.2.5.1.4"><p id="p155991527181913"><a name="p155991527181913"></a><a name="p155991527181913"></a><strong id="b1030303212191"><a name="b1030303212191"></a><a name="b1030303212191"></a>openEuler默认是否已加固为建议值</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="zh-cn_topic_0152100281_r29e23cf92cab42e1ac8754dff12baa4a"><td class="cellrowborder" valign="top" width="25.737426257374263%" headers="mcps1.2.5.1.1 "><p id="zh-cn_topic_0152100281_a921f936f15544de5b3f9e9ba1be84ffe"><a name="zh-cn_topic_0152100281_a921f936f15544de5b3f9e9ba1be84ffe"></a><a name="zh-cn_topic_0152100281_a921f936f15544de5b3f9e9ba1be84ffe"></a>PASS_MAX_DAYS</p>
</td>
<td class="cellrowborder" valign="top" width="24.517548245175483%" headers="mcps1.2.5.1.2 "><p id="p42393415188"><a name="p42393415188"></a><a name="p42393415188"></a>口令最大有效期</p>
</td>
<td class="cellrowborder" valign="top" width="15.718428157184283%" headers="mcps1.2.5.1.3 "><p id="zh-cn_topic_0152100281_a2aa27bf0389c4b838ed9b6eec93af8d4"><a name="zh-cn_topic_0152100281_a2aa27bf0389c4b838ed9b6eec93af8d4"></a><a name="zh-cn_topic_0152100281_a2aa27bf0389c4b838ed9b6eec93af8d4"></a>90</p>
</td>
<td class="cellrowborder" valign="top" width="34.02659734026597%" headers="mcps1.2.5.1.4 "><p id="p117617476191"><a name="p117617476191"></a><a name="p117617476191"></a>否</p>
</td>
</tr>
<tr id="zh-cn_topic_0152100281_r33bf5a02003341b38505f4dd8a4ec331"><td class="cellrowborder" valign="top" width="25.737426257374263%" headers="mcps1.2.5.1.1 "><p id="zh-cn_topic_0152100281_ae34622cd327944e1846fa0057c0fdd26"><a name="zh-cn_topic_0152100281_ae34622cd327944e1846fa0057c0fdd26"></a><a name="zh-cn_topic_0152100281_ae34622cd327944e1846fa0057c0fdd26"></a>PASS_MIN_DAYS</p>
</td>
<td class="cellrowborder" valign="top" width="24.517548245175483%" headers="mcps1.2.5.1.2 "><p id="p32396413180"><a name="p32396413180"></a><a name="p32396413180"></a>两次修改口令的最小间隔时间</p>
</td>
<td class="cellrowborder" valign="top" width="15.718428157184283%" headers="mcps1.2.5.1.3 "><p id="zh-cn_topic_0152100281_a75d083f04c1d465da9fe033bd1e3c6ab"><a name="zh-cn_topic_0152100281_a75d083f04c1d465da9fe033bd1e3c6ab"></a><a name="zh-cn_topic_0152100281_a75d083f04c1d465da9fe033bd1e3c6ab"></a>0</p>
</td>
<td class="cellrowborder" valign="top" width="34.02659734026597%" headers="mcps1.2.5.1.4 "><p id="p1675154714197"><a name="p1675154714197"></a><a name="p1675154714197"></a>是</p>
</td>
</tr>
<tr id="zh-cn_topic_0152100281_r2b4ddf77ed6345f2af1df4ca80e8da79"><td class="cellrowborder" valign="top" width="25.737426257374263%" headers="mcps1.2.5.1.1 "><p id="zh-cn_topic_0152100281_a95fb2c79aba04e37a87c4f34710db6c1"><a name="zh-cn_topic_0152100281_a95fb2c79aba04e37a87c4f34710db6c1"></a><a name="zh-cn_topic_0152100281_a95fb2c79aba04e37a87c4f34710db6c1"></a>PASS_WARN_AGE</p>
</td>
<td class="cellrowborder" valign="top" width="24.517548245175483%" headers="mcps1.2.5.1.2 "><p id="p1723920441810"><a name="p1723920441810"></a><a name="p1723920441810"></a>口令过期前开始提示天数</p>
</td>
<td class="cellrowborder" valign="top" width="15.718428157184283%" headers="mcps1.2.5.1.3 "><p id="zh-cn_topic_0152100281_a0ccc437555734423b86103bf36f3977b"><a name="zh-cn_topic_0152100281_a0ccc437555734423b86103bf36f3977b"></a><a name="zh-cn_topic_0152100281_a0ccc437555734423b86103bf36f3977b"></a>7</p>
</td>
<td class="cellrowborder" valign="top" width="34.02659734026597%" headers="mcps1.2.5.1.4 "><p id="p249184791910"><a name="p249184791910"></a><a name="p249184791910"></a>是</p>
</td>
</tr>
</tbody>
</table>
> **说明:**
>login.defs是设置用户帐号限制的文件,可配置口令的最大过期天数、最大长度约束等。该文件里的配置对root用户无效。如果/etc/shadow文件里有相同的选项,则以/etc/shadow配置为准,即/etc/shadow的配置优先级高于/etc/login.defs。口令过期后用户重新登录时,提示口令过期并强制要求修改,不修改则无法进入系统。
## 设置口令的加密算法
### 说明
出于系统安全考虑,口令不允许明文存储在系统中,应该加密保护。在不需要还原口令的场景,必须使用不可逆算法加密。设置口令的加密算法为sha512,openEuler默认已设置。通过上述设置可以有效防范口令泄露,保证口令安全。
### 实现
口令的加密算法设置通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现,添加如下配置:
```
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
```
**表 5** pam\_unix.so配置项说明
<a name="zh-cn_topic_0152100376_t0e4d45c67099425e935ada4953a4aaa1"></a>
<table><thead align="left"><tr id="zh-cn_topic_0152100376_r5f099f6e722f4e99a32455a5d47d934f"><th class="cellrowborder" valign="top" width="30.06%" id="mcps1.2.3.1.1"><p id="zh-cn_topic_0152100376_ad3eee42a35e3474d925afc02d065ea8d"><a name="zh-cn_topic_0152100376_ad3eee42a35e3474d925afc02d065ea8d"></a><a name="zh-cn_topic_0152100376_ad3eee42a35e3474d925afc02d065ea8d"></a><strong id="zh-cn_topic_0152100376_a1f3e7c436885404cbfccc328e0c7e637"><a name="zh-cn_topic_0152100376_a1f3e7c436885404cbfccc328e0c7e637"></a><a name="zh-cn_topic_0152100376_a1f3e7c436885404cbfccc328e0c7e637"></a>配置项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="69.94%" id="mcps1.2.3.1.2"><p id="zh-cn_topic_0152100376_a4a9755d6633d4ab78a9cfc4b7ae4e1f4"><a name="zh-cn_topic_0152100376_a4a9755d6633d4ab78a9cfc4b7ae4e1f4"></a><a name="zh-cn_topic_0152100376_a4a9755d6633d4ab78a9cfc4b7ae4e1f4"></a><strong id="zh-cn_topic_0152100376_a90b3ce150cd1484b97ffc5ec58639c7f"><a name="zh-cn_topic_0152100376_a90b3ce150cd1484b97ffc5ec58639c7f"></a><a name="zh-cn_topic_0152100376_a90b3ce150cd1484b97ffc5ec58639c7f"></a>说明</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="zh-cn_topic_0152100376_rb5b7197d70714a90903102bb24fd0ea7"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100376_aa12ab9b1e578408a8dce9667a858c9f1"><a name="zh-cn_topic_0152100376_aa12ab9b1e578408a8dce9667a858c9f1"></a><a name="zh-cn_topic_0152100376_aa12ab9b1e578408a8dce9667a858c9f1"></a>sha512</p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100376_a5788f53e3377437d96ea32a5906bc9b9"><a name="zh-cn_topic_0152100376_a5788f53e3377437d96ea32a5906bc9b9"></a><a name="zh-cn_topic_0152100376_a5788f53e3377437d96ea32a5906bc9b9"></a>使用sha512算法对口令加密。</p>
</td>
</tr>
</tbody>
</table>
## 登录失败超过三次后锁定
### 说明
为了保障用户系统的安全,建议用户设置口令出错次数的阈值(建议3次),以及由于口令尝试被锁定用户的自动解锁时间(建议300秒)。
用户锁定期间,任何输入被判定为无效,锁定时间不因用户的再次输入而重新计时;解锁后,用户的错误输入记录被清空。通过上述设置可以有效防范口令被暴力破解,增强系统的安全性。
> **说明:**
>openEuler默认口令出错次数的阈值为3次,系统被锁定后自动解锁时间为60秒。
### 实现
口令复杂度的设置通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现,设置口令最大的出错次数为3次,系统锁定后的解锁时间为300秒的配置如下:
```
auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300
```
**表 6** pam\_faillock.so配置项说明
<a name="zh-cn_topic_0152100313_t7b1a3221642543eaa102d4e7a74c3d38"></a>
<table><thead align="left"><tr id="zh-cn_topic_0152100313_r5ddcdf2378624d3ebe741051c18afc98"><th class="cellrowborder" valign="top" width="30.06%" id="mcps1.2.3.1.1"><p id="zh-cn_topic_0152100313_afd85f3cac36449f4ad45185e9d41b3ed"><a name="zh-cn_topic_0152100313_afd85f3cac36449f4ad45185e9d41b3ed"></a><a name="zh-cn_topic_0152100313_afd85f3cac36449f4ad45185e9d41b3ed"></a><strong id="zh-cn_topic_0152100313_a76060080173d47fcbf53dab772f51360"><a name="zh-cn_topic_0152100313_a76060080173d47fcbf53dab772f51360"></a><a name="zh-cn_topic_0152100313_a76060080173d47fcbf53dab772f51360"></a>配置项</strong></p>
</th>
<th class="cellrowborder" valign="top" width="69.94%" id="mcps1.2.3.1.2"><p id="zh-cn_topic_0152100313_a1ec9687c5a6c4bd0bdfddae099040a39"><a name="zh-cn_topic_0152100313_a1ec9687c5a6c4bd0bdfddae099040a39"></a><a name="zh-cn_topic_0152100313_a1ec9687c5a6c4bd0bdfddae099040a39"></a><strong id="zh-cn_topic_0152100313_a667b4c19bd204850843fefc273046732"><a name="zh-cn_topic_0152100313_a667b4c19bd204850843fefc273046732"></a><a name="zh-cn_topic_0152100313_a667b4c19bd204850843fefc273046732"></a>说明</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="zh-cn_topic_0152100313_r55be22dedbd741629751c2d9d410d701"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100313_acd32b0827cf145d58071658671854d46"><a name="zh-cn_topic_0152100313_acd32b0827cf145d58071658671854d46"></a><a name="zh-cn_topic_0152100313_acd32b0827cf145d58071658671854d46"></a>authfail</p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100313_a8de3bf60f7164d5c8aa30cbdf5ce6ce9"><a name="zh-cn_topic_0152100313_a8de3bf60f7164d5c8aa30cbdf5ce6ce9"></a><a name="zh-cn_topic_0152100313_a8de3bf60f7164d5c8aa30cbdf5ce6ce9"></a>捕获用户登录失败的事件。</p>
</td>
</tr>
<tr id="zh-cn_topic_0152100313_rf575e68bddd54388b9a88e56b09126d7"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100313_aae18622a5c5446ca9a2a2a8ec0edd6ed"><a name="zh-cn_topic_0152100313_aae18622a5c5446ca9a2a2a8ec0edd6ed"></a><a name="zh-cn_topic_0152100313_aae18622a5c5446ca9a2a2a8ec0edd6ed"></a>deny=3</p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100313_a217dbebb77344c43aa921976ca1c74bc"><a name="zh-cn_topic_0152100313_a217dbebb77344c43aa921976ca1c74bc"></a><a name="zh-cn_topic_0152100313_a217dbebb77344c43aa921976ca1c74bc"></a>用户连续登录失败次数超过3次即被锁定。</p>
</td>
</tr>
<tr id="zh-cn_topic_0152100313_re82220969a0946b4a078d1cd9baf8ea7"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100313_adf5753021b26408d8530ec8546507d09"><a name="zh-cn_topic_0152100313_adf5753021b26408d8530ec8546507d09"></a><a name="zh-cn_topic_0152100313_adf5753021b26408d8530ec8546507d09"></a>unlock_time=300</p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100313_a247ada1f1cec40a1bcce330826f1b7d6"><a name="zh-cn_topic_0152100313_a247ada1f1cec40a1bcce330826f1b7d6"></a><a name="zh-cn_topic_0152100313_a247ada1f1cec40a1bcce330826f1b7d6"></a>普通用户自动解锁时间为300秒(即5分钟)。</p>
</td>
</tr>
<tr id="zh-cn_topic_0152100313_rd644bdea6d374265b1ba8407b48afc97"><td class="cellrowborder" valign="top" width="30.06%" headers="mcps1.2.3.1.1 "><p id="zh-cn_topic_0152100313_a534a8148efc14ec3a3c6c8525634d594"><a name="zh-cn_topic_0152100313_a534a8148efc14ec3a3c6c8525634d594"></a><a name="zh-cn_topic_0152100313_a534a8148efc14ec3a3c6c8525634d594"></a>even_deny_root</p>
</td>
<td class="cellrowborder" valign="top" width="69.94%" headers="mcps1.2.3.1.2 "><p id="zh-cn_topic_0152100313_a100ff1c5a82b45658e87637f2d144d92"><a name="zh-cn_topic_0152100313_a100ff1c5a82b45658e87637f2d144d92"></a><a name="zh-cn_topic_0152100313_a100ff1c5a82b45658e87637f2d144d92"></a>同样限制root帐户。</p>
</td>
</tr>
</tbody>
</table>
## 加固su命令
### 说明
为了增强系统安全性,防止使用“su”切换用户时将当前用户环境变量带入其他环境,openEuler默认已做配置。总是在使用su切换用户时初始化PATH。
### 实现
通过修改/etc/login.defs实现,配置如下:
```
ALWAYS_SET_PATH=yes
```
208
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
