CentOS7 set user password rules

Others 2022-04-27 15:00:20 views: 0

Set password rules for security reasons

1. Set the number of days for the password to expire. Users must change their passwords within a few days. This setting only affects user creation, not existing users. If set to an existing user, run the command "chage -M (days) (user)"

[root@shaonbean ~]# vi /etc/login.defs
# line 25: set 60 for Password Expiration
PASS_MAX_DAYS 60

2. Set the minimum number of days for a valid password. At least after changing it, users must at least use their password. This setting only affects user creation, not existing users. If set to an existing user, run the command "chage -m (days) (user)"

[root@shaonbean ~]# vi /etc/login.defs
# line 26: set 2 for Minimum number of days available
PASS_MIN_DAYS 2

3. Set the number of days to warn before expiration. This setting only affects user creation, not existing users. If set to exist user, run the command "chage -W (days) (user)"

[root@shaonbean ~]# vi /etc/login.defs
# line 28: set 7 for number of days for warnings
PASS_WARN_AGE 7

4. Restrict with passwords used in the past. In this generation, users cannot set the same password.

[root@shaonbean ~]# vi /etc/pam.d/system-auth
# near line 15: prohibit to use the same password for 5 generation in past
password     sufficient     pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

5. Set the minimum password length. The user cannot set the password length to be less than this parameter.

# set 8 for minimum password length
[root@shaonbean ~]# authconfig --passminlen=8 --update
# the parameter is set in a config below
[root@shaonbean ~]# grep "^minlen" /etc/security/pwquality.conf 
minlen = 8

6. Set the minimum number of character classes required for the new password. (Type ⇒ UpperCase / LowerCase / Digits / Others)

# set 2 for minimum number of required classes of characters
[root@shaonbean ~]# authconfig --passminclass=2 --update
# the parameter is set in a config below
[root@shaonbean ~]# grep "^minclass" /etc/security/pwquality.conf 
minclass = 2

7. Set the maximum number of consecutive identical characters allowed in the new password.

# set 2 for maximum number of allowed consecutive same characters
[root@shaonbean ~]# authconfig --passmaxrepeat=2 --update
# the parameter is set in a config below
[root@shaonbean ~]# grep "^maxrepeat" /etc/security/pwquality.conf 
maxrepeat = 2

8. In the new password, set the maximum allowed number of consecutive characters of the same type.


# set 4 for maximum number of allowed consecutive characters of the same class
[root@shaonbean ~]# authconfig --passmaxclassrepeat=4 --update
# the parameter is set in a config below
[root@shaonbean ~]# grep "^maxclassrepeat" /etc/security/pwquality.conf 
maxclassrepeat = 4

9. At least one lowercase character is required in the new password

[root@shaonbean ~]# authconfig --enablereqlower --update
# the parameter is set in a config below
# (if you'd like to edit the value, edit it with vi and others)
[root@shaonbean ~]# grep "^lcredit" /etc/security/pwquality.conf 
lcredit = -1

10. At least one uppercase character is required in the new password

[root@shaonbean ~]# authconfig --enablerequpper --update
# the parameter is set in a config below
# (if you'd like to edit the value, edit it with vi and others)
[root@shaonbean ~]# grep "^ucredit" /etc/security/pwquality.conf 
ucredit = -1

11. At least one digit is required in the new password

[root@shaonbean ~]# authconfig --enablereqdigit --update
# the parameter is set in a config below
# (if you'd like to edit the value, edit it with vi and others)
[root@shaonbean ~]# grep "^dcredit" /etc/security/pwquality.conf 
dcredit = -1

12. At least one other character is required in the new password

[root@shaonbean ~]# authconfig --enablereqother --update
# the parameter is set in a config below
# (if you'd like to edit the value, edit it with vi and others)
[root@shaonbean ~]# grep "^ocredit" /etc/security/pwquality.conf 
ocredit = -1

13. Set the maximum length of monotonic character sequences in new passwords. (ex ⇒ '12345', 'fedcb')

[root@shaonbean ~]# vi /etc/security/pwquality.conf
# add to the end
maxsequence = 3

14. Set the number of characters in the new password that cannot appear in the old password.

[root@shaonbean ~]# vi /etc/security/pwquality.conf
# add to the end
difok = 5

15. Check whether the new password contains words longer than 3 characters in the GECOS field of the user passwd item

[root@shaonbean ~]# vi /etc/security/pwquality.conf
# add to the end
gecoscheck = 1

16. Set Ssace-separated lists that cannot be included in passwords.


[root@shaonbean ~]# vi /etc/security/pwquality.conf
# add to the end
badwords = denywords1 denywords2 denywords3

17. Set the hash/password algorithm for the new password. (default is sha512)

# show current algorithm
[root@shaonbean ~]# authconfig --test | grep hashing 
password hashing algorithm is md5
# chnage algorithm to sha512
[root@shaonbean ~]# authconfig --passalgo=sha512 --update
[root@shaonbean ~]# authconfig --test | grep hashing 
password hashing algorithm is sha512

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325676698&siteId=291194637
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com