For security reasons set password rules
to set the number of days a password expires.
User must change password in days.
This setting affects only create a user without affecting existing users.
If an existing user, run the command "chage -M (days) (user )".
PASS_MAX_DAYS 60 # password expiration time
PASS_MIN_DAYS 3 # initial password change time
PASS_MIN_LEN 8 # minimum password length
PASS_WARN_AGE 7 # prompt time password expiration
. 1
2
. 3
. 4
repeated code restricts
[root @ linuxprobe ~] # vi /etc/pam.d/ the auth-System
# near Line 15: The Same the prohibit to use for password. 5 Generation in Past
Sufficient Shadow nullok the pam_unix.so SHA512 password try_first_pass use_authtok Remember =. 5
. 1
2
. 3
. 4
set the minimum password length.
User password length can not be set for this parameter.
# Set 8 for minimum password length
[root@linuxprobe~]# authconfig --passminlen=8 --update
# the parameter is set in a config below
[root@linuxprobe~]# grep "^minlen" /etc/security/pwquality.conf
minlen = 8
# Set the same class in the new password to allow the maximum number of consecutive characters
# set 4 for maximum number of allowed consecutive characters of the same class
[root@linuxprobe~]# authconfig --passmaxclassrepeat=4 --update
# the parameter is set in a config below
[root@linuxprobe~]# grep "^maxclassrepeat" /etc/security/pwquality.conf
maxclassrepeat = 4
# In the New password must have at least one lowercase characters.
[root @ linuxprobe ~] # authconfig --enablereqlower --update
# the Parameter IS at The config below the SET in A
# (IF you'd like to value at The Edit, Edit with vi IT and Others)
[root@linuxprobe~]# grep "^lcredit" /etc/security/pwquality.conf
lcredit = -1
# In the New password must have at least one uppercase character
[root @ linuxprobe ~] # authconfig --enablerequpper --update
# at The the SET in the Parameter IS A config below
# (if you'd like to edit the value, edit it with vi and others)
[root@linuxprobe~]# grep "^ucredit" /etc/security/pwquality.conf
ucredit = -1
# At least a new password in the digital
[linuxprobe the root @ ~] --enablereqdigit --update the authconfig #
# The Parameter A config below in IS SET
# (if you'd like to edit the value, edit it with vi and others)
[root@linuxprobe~]# grep "^dcredit" /etc/security/pwquality.conf
dcredit = -1
# Password comprising at least one special character
[@ linuxprobe the root ~] --enablereqother --update the authconfig #
# The Parameter A config below in IS SET
# (if you'd like to edit the value, edit it with vi and others)
[root@linuxprobe~]# grep "^ocredit" /etc/security/pwquality.conf
ocredit = -1
# Set the maximum length of the monotonous sequence of characters in the new password. (Ex⇒'12345 ',' fedcb ')
[the root linuxprobe @ ~] # VI /etc/security/pwquality.conf
# The End to the Add
maxsequence. 3 =
# Set the number of characters in the new password in the old password can not appear in the
[root @ linuxprobe ~] # vi /etc/security/pwquality.conf
# to the Add at The End
difok = 5
GECOS length field to check from the user # passwd entries than three characters in the word contains a new password.
[linuxprobe the root @ ~] # VI /etc/security/pwquality.conf
# The End to the Add
gecoscheck. 1 =
# Set the password can not be included in the list of words separated Ssace
[linuxprobe the root @ ~] # VI /etc/security/pwquality.conf
# The End to the Add
BADWORDS = denywords1 denywords2 denywords3
# New password hash / crypt algorithm. (Defaults to SHA512)
# Show Current algorithm
[root@linuxprobe~]# authconfig --test | grep hashing
password hashing algorithm is md5
# chnage algorithm to sha512
[root @ linuxprobe ~] # authconfig --passalgo = SHA512 --update
[root @ linuxprobe ~] # authconfig --test | grep Hashing
password Hashing algorithm IS SHA512
--------------- ------
author: shaonbean
source: CSDN
original: https: //blog.csdn.net/wh211212/article/details/53992772
copyright: This article is a blogger original article, reproduced, please attach Bowen link!