一、密码有效期策略
1、策略需求
密码最大可用天数为90天,修改密码后7天内不得再修改,密码过期前10天提醒用户修改密码
2、操作命令
cp /etc/login.defs /etc/login.defs.bak`date +%Y%m%d`sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS\t90/g" /etc/login.defssed -i "s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS\t7/g" /etc/login.defssed -i "s/^PASS_WARN_AGE.*/PASS_WARN_AGE\t10/g" /etc/login.defsgrep ^PASS_ /etc/login.defs
修改:passwd -x 90 -n 7 -w 10 username 或 chage -M 90 -m 7 -W 10 username
查看:passwd -S username 或 chage -l username
更多内容请参考:man passwd 、man chage、man login.defs
二、密码复杂度
1、策略需求
密码最小长度至少为12位,其中至少1位小写字母、至少1位大写字母、至少1位数字、至少1位特殊符号,不能使用过去5次使用过的旧密码。
2、操作命令
密码复杂度的设置通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现,两个文件初始配置是一样的。
touch /etc/security/opasswdchown root:root /etc/security/opasswdchmod 600 /etc/security/opasswdcp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak`date +%Y%m%d`sed -i '/password sufficient pam_unix.so/s/$/ remember=5/' /etc/pam.d/system-authsed -i '/pam_pwquality.so/s/$/ dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=12/' /etc/pam.d/system-authcat /etc/pam.d/system-authcp /etc/pam.d/password-auth /etc/pam.d/password-auth.bak`date +%Y%m%d`sed -i '/password sufficient pam_unix.so/s/$/ remember=5/' /etc/pam.d/password-authsed -i '/pam_pwquality.so/s/$/ dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=12/' /etc/pam.d/password-authcat /etc/pam.d/password-auth
配置前:
配置后:
更多内容请参考:man pam_pwquality、man pam_unix
三、密码验证失败锁定策略
1、策略需求
当输错密码5次后,锁定用户,300秒后自动解锁。
2、操作命令
密码验证失败锁定策略也是通过修改/etc/pam.d/password-auth和/etc/pam.d/system-auth文件实现。
sed -i '4aauth required pam_tally2.so deny=5 onerr=fail unlock_time=300' /etc/pam.d/system-authsed -i '4aauth required pam_tally2.so deny=5 onerr=fail unlock_time=300' /etc/pam.d/password-authcat /etc/pam.d/system-auth /etc/pam.d/password-auth
查询锁定情况:pam_tally2 或 pam_tally2 -u username
解除锁定:pam_tally2 -r -u username
配置前:
配置后:
更多内容请参考:man pam_tally2