Due to the need of the company's recently required more than one linux server to set password policies, the main content is to increase password complexity.
Follow these steps, students can not refer to:
Before operating need to master the following few simple really do not have the knowledge :( also, but learn no harm)
PAM (Pluggable Authentication Modules) is an authentication mechanism proposed by Sun. By providing some dynamic link library and a unified set of API, to separate the authentication service and the service provided by the system, making the system administrators the flexibility of different services to different authentication mode without having to change the service program as needed , but also easy to add new authentication methods to the system. PAM was first integrated in Solaris, it has been ported to other systems, such as Linux, SunOS, HP-UX 9.0 and so on.
/Etc/pam.conf PAM configuration is a single configuration file. RedHat supports an alternative configuration, i.e. via /etc/pam.d/ configuration directory, and this embodiment is higher than the priority of the individual profiles.
1, using the configuration file /etc/pam.conf
This file is the following line consisting of:
service-name Module-of the type Control-Flag Module-path arguments The
name of the service-name services, such as telnet, login, ftp, and the service name "OTHER" on behalf of all not in the file other services explicitly configured.
module-type module has four types: auth, account, session, password , i.e. corresponding to four management PAM supports. The same service can call multiple PAM authentication modules, these modules form a stack.
control-flag is used to tell PAM library on how to handle cases related to the success or failure of the PAM service module. It has four possible values: required, requisite, sufficient, optional .
required indicates that the module must return success to pass certification, but if you return the module fails, the result will not fail to inform the user immediately, but to wait until all the modules in the same stack all finished and then failed to return the results to the application. It can be considered a necessary condition.
requisite and required similar to the module must return success to pass certification, but once the module returns failure, will not perform any module within the same stack, but will return control to the application directly. It is a necessary condition. Note: This is only supported RedHat, Solaris is not supported.
sufficient returns show that the module has been successful enough to pass the authentication request, you do not have to perform other modules within the same stack, but if this module returns failure, then you can ignore. It can be considered a sufficient condition.
optional show that the module is optional, and its success generally does not play a key role in authentication, the return value generally is ignored.
For control-flag, starting from LinuxPAM-0.63 version, supports a new syntax can be found LinuxPAM specific document.
module-path is used to indicate the path name of this program file corresponding to the module, generally use an absolute path, an absolute path if not given, the default file in the directory / usr / lib / security below.
are arguments to be passed to the module parameters. In general parameters for each module are not the same, the module can be defined by the developers themselves, but there are several common parameters:
Debug the module should use syslog () debugging information is written to the system log file.
no_warn indicates that the module should not send a warning message to the application.
use_first_pass indicates that the module does not prompt the user to enter a password, and should be used before a module derived from the user password.
try_first_pass indicates that the module password first before a module resulting from the user should use, if the password authentication is not passed, then the user is prompted to enter a new password.
use_mapped_pass The module does not prompt the user to enter a password password, but using the map before.
expose_account allow the module to display information about the user's account name, are generally used only in a safe environment, because the user name leakage will cause a certain degree of security threat.
2, using the configuration directory /etc/pam.d/ (applies only to RedHat Linux)
The name of each file in the directory corresponding to the service name, such as ftp service correspondence file /etc/pam.d/ftp. If the service is named xxxx corresponding to the profile /etc/pam.d/xxxx does not exist, the service will use the default configuration file /etc/pam.d/other. Each file is composed of text lines in the following format:
Module1-type Control-In Flag-path arguments Module1
same meaning and each field in /etc/pam.conf.
Since the company uses the RedHat linux therefore I will use this configuration pam.d directory. Password complexity achieved by /etc/pam.d/system-auth this document Hence, we look at what then default have a backup of this file:
In this document we will use pam_cracklib.so this module. pam_cracklib.so is a common and very important PAM module. The main role of this module is the robustness of the user password is detected. I.e. check and limit user-defined length, complexity and password history and the like. The password does not satisfy the strength will refuse to use.
pam_cracklib.so more important and difficult to understand that some of its parameters and counting method comprising common parameters:
Debug: debug information written to the log;
type = XXX: When adding / modifying a password, the system gives the default prompt operator is "New UNIX password:", and "the Retype the UNIX
password:", the parameter may be used to customize the password prompt, such as specifying your own Word = type;
the retry = N: defining login / password modification fails, number of retries;
Difok = N: define a new password must have several characters to be different from the old password. However, if more than half of the old password and the new password characters are not the same, the new password will be accepted;
the minlen = N: user defined minimum password length;
dcredit = N: a user's password must be defined how many digits comprising;
ucredit = N: the definition of a user's password must contain a number of uppercase letters;
lcredit = N: the definition of a user's password must contain many small case letters;
ocredit = N: the definition of a user's password must contain the number of special characters (in addition to numbers, letters outside);
I need my password policies formulated as follows: must contain at least one lowercase letters, numbers, special characters, password length of at least 7, following an increase in system-auth file, save and exit:
(Note) * credit = -1 indicates that at least one meaning.
Then configure login.defs, this document was to configure password expiration, which PASS_MIN_LEN this parameter after we configured a file does not work here. other
The maximum period PASS_MAX_DAYS 99999 # password, 99999: Permanent there of
PASS_MIN_DAYS 0 # whether to change the password, 0 can be modified, non-zero number of days may be modified
PASS_MIN_LEN 5 # minimum password length, use pam_cracklib module, the parameter is no longer valid
PASS_WARN_AGE 7 # Password how many days before the failure to notify the user to change the password when the user logs
Once setup is complete, we can go to verify these systems already exist in the user password when verifying whether mandatory password complexity, as shown below if you do not meet the password complexity will prompt an error message:
If you meet the password complexity can set a password to normal.
----------------
Disclaimer: This article is CSDN blogger "What master 'original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source and link this statement.
Original link: https: //blog.csdn.net/wxlbrxhb/article/details/39511993