linux密码策略设置和服务设置
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Linux密码复杂度配置方案
密码复杂度配置目标是保证密码由数字,大写字母,小写字母,符号各至少1位组成, 长度不短于8, 历史记忆密码8个. 由于Suse 9, Suse10, Suse11关于密码验证的系统实现方式略有差别, 本文将针对不同系统版本给出相应配置方法.
1. 对于Suse9
将/etc/pam.d/passwd更改为以下:
#%PAM-1.0
auth required pam_unix2.so nullok
account required pam_unix2.so
password required pam_pwcheck.so
password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8 use_authtok
password required pam_pwcheck.so nullok remember=8 use_authtok
password required pam_unix2.so use_authtok nullok
session required pam_unix2.so
2. 对于Suse10
/etc/pam.d/common-password更改为以下:
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix2 in combination
# with pam_pwcheck.
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# To enable Blowfish or MD5 passwords, you should edit
# /etc/default/passwd.
#
# Alternate strength checking for passwords should be configured
# in /etc/security/pam_pwcheck.conf.
#
# pam_make can be used to rebuild NIS maps after password change.
#
password required pam_pwcheck.so
password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8 use_authtok
password required pam_pwcheck.so nullok remember=8 use_authtok password required pam_unix2.so use_authtok nullok
注意: 设置完以上密码策略后, 以后不可以用yast工具更改历史密码个数, 否则下次更改密码时, 会一直提示重新输入新密码, 最终无法重置密码. 经确认此为Suse10系统bug.
3. 对于Suse11
(I) 新建/etc/pam.d/common-password-complexity,内容如下:
password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
(II) 将/etc/pam.d/common-password更改为
password requisite pam_pwcheck.so use_authtok nullok cracklib remember=8 password required pam_unix2.so use_authtok nullok
(III) 将/etc/pam.d/passwd更改为
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password-complexity
password include common-password
session include common-session
注意:设置完以上密码策略后, 最好也不要用yast工具来更改历史密码个数, 此操作会将/etc/pam.d/common-password文件重置为,
password requisite pam_pwcheck.so nullok cracklib remember=8
password required pam_unix2.so use_authtok nullok
系统会将common-password-complexity和common-password当成两个独立的密码验证模块, 以后重置密码, 若输入的新密码不符合复杂度要求, 会再次提示用户输入新密码, 最终报错. 但是对生产无影响, 用户可重试更改密码, 若输入正确密码, 即可修改成功.