Linux PAM设置登录密码复杂性

1. 设置创建用户的默认属性。所以的配置对root用户没有限制。

a. 查看用户的属性

[root@slc4-ra0002pxe159 ~]# chage -l user1

Last password change : Jan 23, 2015

Password expires : never

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 99999

Number of days of warning before password expires : 7

b. 用户的密码策略/etc/login.defs

PASS_MAX_DAYS 90

PASS_MIN_DAYS 0

PASS_MIN_LEN 8

PASS_WARN_AGE 7

[root@slc4-ra0002pxe159 ~]# useradd -u 3033 -s /sbin/nologin user3

[root@slc4-ra0002pxe159 ~]# chage -l user3

Last password change : Apr 22, 2015

Password expires : Jul 21, 2015

Password inactive : never

Account expires : never

Minimum number of days between password change : 0

Maximum number of days between password change : 90

Number of days of warning before password expires : 7

c. 设置了默认规则后，用户输入的密码必须符合设置规则。

[root@slc4-ra0002pxe159 ~]# echo redhat|passwd --stdin user1

Changing password for user user1.

passwd: all authentication tokens updated successfully.

[root@slc4-ra0002pxe159 ~]#

[root@slc4-ra0002pxe159 ~]#

[root@slc4-ra0002pxe159 ~]# su - user1

[user1@slc4-ra0002pxe159 ~]$ passwd

Changing password for user user1.

Changing password for user1.

(current) UNIX password:

New password:

BAD PASSWORD: it is too simplistic/systematic

d. 设置登录后必须更改密码

[root@slc4-ra0002pxe159 ~]# chage -d 0 user1

[root@slc4-ra0002pxe159 ~]# su - user1

[user1@slc4-ra0002pxe159 ~]$ su - user1

Password:

You are required to change your password immediately (root enforced)

Changing password for user1.

(current) UNIX password:

New password:

Retype new password:

2. 通过PAM设置用户账号信息

PAM的动态链接库

# ls /lib64/security

PAM的认证方式配置目录

# ls /etc/pam.d/

PAM帮助手册: /usr/share/doc/pam-1.1/

PAM的只要配置文件:

password-auth: 偏向于控制远程登录。

system-auth: 偏向于本地登录。

设置密码复杂性 - pam_cracklib.so/system-auth文件的配置:

密码中必须有一位大小写字符，数字和特殊符号，同时不能小于8位。

修改:

password requisite pam_cracklib.so retry=3

改为:

password requisite pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8

使用pam_unix.so设置密码不能重复使用

password sufficient pam_unix.so existing_options remember=5

使用模块pam_tally2.so设置用户登录失败达3次后，锁定账号1分钟

auth required pam_tally2.so deny=3 unlock_time=60

查看失败次数:

[root@slc4-ra0002pxe159 ~]# pam_tally2

Login Failures Latest failure From

user1 4 04/22/15 15:11:37 server6-9024.phx01.dev.ebayc3.com

解锁账号:

[root@slc4-ra0002pxe159 ~]# pam_tally2 -u user1 --reset

Login Failures Latest failure From

user1 0