1ee2fc7cbe
renamed: 10 Useful Chaining Operators in Linux with Practical Examples.md -> 201401/10 Useful Chaining Operators in Linux with Practical Examples.md renamed: 10 basic examples of linux netstat command.md -> 201401/10 basic examples of linux netstat command.md renamed: 12 Advanced Commands For Linux Server Admins!.md -> 201401/12 Advanced Commands For Linux Server Admins!.md renamed: 14 New Linux Distros That Were Introduced In 2013.md -> 201401/14 New Linux Distros That Were Introduced In 2013.md renamed: 15 Basic MySQL Interview Questions for Database Administrators.md -> 201401/15 Basic MySQL Interview Questions for Database Administrators.md renamed: "2013\357\274\232The Golden Year for Linux \342\200\223 10 Biggest Linux Achievements.md" -> "201401/2013\357\274\232The Golden Year for Linux \342\200\223 10 Biggest Linux Achievements.md" renamed: 2014--The year of the Linux car.md -> 201401/2014--The year of the Linux car.md renamed: 5 Things To Love And Hate About Ubuntu 13.10.md -> 201401/5 Things To Love And Hate About Ubuntu 13.10.md renamed: 8 Interesting Linux Tips And Tricks!.md -> 201401/8 Interesting Linux Tips And Tricks!.md renamed: CentOS 6.5 desktop installation guide with screenshots.md -> 201401/CentOS 6.5 desktop installation guide with screenshots.md renamed: "Command Line Basics \342\200\223 watch.md" -> "201401/Command Line Basics \342\200\223 watch.md" renamed: Configure Your Browser To Use Tor On Ubuntu or Debian or Linux Mint.md -> 201401/Configure Your Browser To Use Tor On Ubuntu or Debian or Linux Mint.md renamed: Daily Ubuntu Tips - Mount Partitions In Ubuntu From Your Desktop GUI.md -> 201401/Daily Ubuntu Tips - Mount Partitions In Ubuntu From Your Desktop GUI.md renamed: "Daily Ubuntu Tips \342\200\223 Do Nothing When Laptop Lid Is Closed.md" -> "201401/Daily Ubuntu Tips \342\200\223 Do Nothing When Laptop Lid Is Closed.md" renamed: "Daily Ubuntu Tips \342\200\224 Install VMware Workstation In Ubuntu.md" -> "201401/Daily Ubuntu Tips \342\200\224 Install VMware Workstation In Ubuntu.md" renamed: "Daily Ubuntu Tips \342\200\224 Windows Disk Management Equivalent In Ubuntu.md" -> "201401/Daily Ubuntu Tips \342\200\224 Windows Disk Management Equivalent In Ubuntu.md" renamed: "Gnu--toward the post-scarcity world \342\200\223 the Free Software Column.md" -> "201401/Gnu--toward the post-scarcity world \342\200\223 the Free Software Column.md" renamed: How to Dual Boot Ubuntu and Windows Properly.md -> 201401/How to Dual Boot Ubuntu and Windows Properly.md renamed: "How to Install and Configure UFW \342\200\223 An Un-complicated FireWall in Debian or Ubuntu.md" -> "201401/How to Install and Configure UFW \342\200\223 An Un-complicated FireWall in Debian or Ubuntu.md" renamed: How to Upgrade to GNOME 3.10 in Ubuntu 13.10.md -> 201401/How to Upgrade to GNOME 3.10 in Ubuntu 13.10.md renamed: How to install and configure Nagios on Linux.md -> 201401/How to install and configure Nagios on Linux.md renamed: How to set password policy on Linux.md -> 201401/How to set password policy on Linux.md renamed: How to stitch photos together on Linux.md -> 201401/How to stitch photos together on Linux.md renamed: How to upgrade MySQL server on Debian or Ubuntu.md -> 201401/How to upgrade MySQL server on Debian or Ubuntu.md renamed: Juju ice-cream icon design.md -> 201401/Juju ice-cream icon design.md renamed: Linus Torvalds Releases Last Linux Kernel 3.13 RC for 2013.md -> 201401/Linus Torvalds Releases Last Linux Kernel 3.13 RC for 2013.md renamed: Linus Torvalds Says All Contributor License Agreements Are Broken.md -> 201401/Linus Torvalds Says All Contributor License Agreements Are Broken.md renamed: Linux free Command - Display Free and used Memory in the System.md -> 201401/Linux free Command - Display Free and used Memory in the System.md renamed: Linux id Command - Print user ID and group ID information.md -> 201401/Linux id Command - Print user ID and group ID information.md renamed: Linux is Everywhere. We show you exactly where.md -> 201401/Linux is Everywhere. We show you exactly where.md renamed: Linux lsusb Command to Print information about USB on System.md -> 201401/Linux lsusb Command to Print information about USB on System.md renamed: Linux vmstat Command - Tool to Report Virtual Memory Statistics.md -> 201401/Linux vmstat Command - Tool to Report Virtual Memory Statistics.md renamed: "Linux who command \342\200\223 Displays who is on the system.md" -> "201401/Linux who command \342\200\223 Displays who is on the system.md" renamed: "Move Dropbox\342\200\231s Folder To An External Drive In Ubuntu.md" -> "201401/Move Dropbox\342\200\231s Folder To An External Drive In Ubuntu.md" renamed: New Ubuntu 14.04 Icons Are Drop-Dead Gorgeous, Might Not Arrive in Desktop Version.md -> 201401/New Ubuntu 14.04 Icons Are Drop-Dead Gorgeous, Might Not Arrive in Desktop Version.md renamed: Our Top 10 Linux Applications of 2013.md -> 201401/Our Top 10 Linux Applications of 2013.md renamed: Setup your personal Cloud server in minutes using ownCloud On RHEL, CentOS, Scientific Linux 6.5.md -> 201401/Setup your personal Cloud server in minutes using ownCloud On RHEL, CentOS, Scientific Linux 6.5.md renamed: Software May Be Eating The World, But Open Source Software Is Eating Itself.md -> 201401/Software May Be Eating The World, But Open Source Software Is Eating Itself.md renamed: The Debian Administrator's Handbook updated for Debian 7 Wheezy published and freely available for download.md -> 201401/The Debian Administrator's Handbook updated for Debian 7 Wheezy published and freely available for download.md renamed: The Fedora Project Will No Longer Name Its Linux Distributions.md -> 201401/The Fedora Project Will No Longer Name Its Linux Distributions.md renamed: The Genius Of Linux Is Community, Not Technology.md -> 201401/The Genius Of Linux Is Community, Not Technology.md renamed: Top 10 Linux Distros For Hackers!.md -> 201401/Top 10 Linux Distros For Hackers!.md renamed: Tunnel SSH Connections Over SSL Using 'Stunnel' On Debian 7 Ubuntu 13.10.md -> 201401/Tunnel SSH Connections Over SSL Using 'Stunnel' On Debian 7 Ubuntu 13.10.md renamed: Ubuntu Stores Your Wi-Fi Passwords By Default!.md -> 201401/Ubuntu Stores Your Wi-Fi Passwords By Default!.md renamed: Ubuntu Will Reach True Convergence Before Microsoft, Says Shuttleworth.md -> 201401/Ubuntu Will Reach True Convergence Before Microsoft, Says Shuttleworth.md renamed: Understanding Linux cd Command with Examples.md -> 201401/Understanding Linux cd Command with Examples.md renamed: look--Linux Command To Verify Spellings And Display Lines Beginning With A String.md -> 201401/look--Linux Command To Verify Spellings And Display Lines Beginning With A String.md
4.9 KiB
如何在 Linux 上设置密码策略
用户帐号管理是系统管理员最重要的工作之一。而密码安全是系统安全中最受关注的一块。在本教程中,我将为大家介绍如何在 Linux 上设置密码策略。
假设你已经在你的 Linux 系统上使用了 PAM (Pluggable Authentication Modules,插入式验证模块),因为这些年所有的 Linux 发行版都在使用它。
准备工作
安装 PAM 的 cracklib 模块,cracklib 能提供额外的密码检查能力。
Debian、Ubuntu 或 Linux Mint 系统上:
$ sudo apt-get install libpam-cracklib
CentOS、Fedora、RHEL 系统已经默认安装了 cracklib PAM 模块,所以在这些系统上无需执行上面的操作。
为了强制实施密码策略,我们需要修改 /etc/pam.d 目录下的 PAM 配置文件。一旦修改,策略会马上生效。
注意:此教程中的密码策略只对非 root 用户有效,对 root 用户无效。
禁止使用旧密码
找到同时有 “password” 和 “pam_unix.so” 字段并且附加有 “remember=5” 的那行,它表示禁止使用最近用过的5个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面)。
Debian、Ubuntu 或 Linux Mint 系统上:
$ sudo vi /etc/pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
CentOS、Fedora、RHEL 系统上:
$ sudo vi /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
设置最短密码长度
找到同时有 “password” 和 “pam_cracklib.so” 字段并且附加有 “minlen=10” 的那行,它表示最小密码长度为(10 - 类型数量)。这里的 “类型数量” 表示不同的字符类型数量。PAM 提供4种类型符号作为密码(大写字母、小写字母、数字和标点符号)。如果你的密码同时用上了这4种类型的符号,并且你的 minlen 设为10,那么最短的密码长度允许是6个字符。
Debian、Ubuntu 或 Linux Mint 系统上:
$ sudo vi /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=10 difok=3
CentOS、Fedora、RHEL 系统上:
$ sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10
设置密码复杂度
找到同时有 “password” 和 “pam_cracklib.so” 字段并且附加有 “ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1” 的那行,它表示密码必须至少包含一个大写字母(ucredit),两个小写字母(lcredit),一个数字(dcredit)和一个标点符号(ocredit)。
Debian、Ubuntu 或 Linux Mint 系统上:
$ sudo vi /etc/pam.d/common-password
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
CentOS、Fedora、RHEL 系统上:
$ sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
设置密码过期期限
编辑 /etc/login.defs 文件,可以设置当前密码的有效期限,具体变量如下所示:
$ sudo vi /etc/login.defs
PASS_MAX_DAYS 150 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
这些设置要求用户每6个月改变他们的密码,并且会提前7天提醒用户密码快到期了。
如果你想为每个用户设置不同的密码期限,使用 chage 命令。下面的命令可以查看某个用户的密码限期:
$ sudo chage -l xmodulo
Last password change : Dec 30, 2013 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
默认情况下,用户的密码永不过期。
下面的命令用于修改 xmodulo 用户的密码期限:
$ sudo chage -E 6/30/2014 -m 5 -M 90 -I 30 -W 14 xmodulo
上面的命令将密码期限设为2014年6月3日。另外,修改密码的最短周期为5天,最长周期为90天。密码过期前14天会发送消息提醒用户,过期后帐号会被锁住30天。
via: http://xmodulo.com/2013/12/set-password-policy-linux.html