密碼設定複雜度和期限

以下是通過man pam_cracklib檢視獲得的解釋

一　PAM_CRACKLIB子產品可以做的密碼政策：

1.回文限制

2.字元數量限制

3.字元類型限制

4.重複字元限制

5.新密碼和老密碼重複字元數量限制

6.新密碼和老密碼的相似度記憶

7.記憶最近幾次的密碼不能和老密碼重複

authtok_type=XXX

           The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". 

           The example word UNIX can be replaced with this option, by default it is empty.

           當輸入新密碼時的預設提示

difok=N

           This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. 

           這個參數将改變新密碼不同于老密碼5個字元的預設設定

maxrepeat=N

           Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.

           拒絕包含超過N個連續相同的字元．預設是0，意思是不用檢查

maxsequence=N

           Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are 12345 

           or fedcb. Note that most such passwords will not pass the

           simplicity check unless the sequence is only a minor part of the password.           

           拒絕密碼包含大于N的單純字元序列．預設不檢查，注意大多數密碼不會通過簡單性檢查除非這個序列是密碼的次要部分

dictpath=/path/to/dict

           Path to the cracklib dictionaries.           

二　報錯執行個體           

如果是和以前用過的相同就會報錯：

Password has been already used. Choose another.

如果新密碼和老密碼一樣就會提示：

Password unchanged

如果新密碼和老密碼相似度太高會提示：

is too similar to the old one

如果設定的複雜度不夠會提示：

BAD PASSWORD: it is too short

如果是比如密碼設定有連續的多個字元就會提示：

BAD PASSWORD: it is too simplistic/systematic

如果設密碼超過重複字元限制：

BAD PASSWORD: contains too many same characters consecutively

三　配置執行個體

password    requisite     /lib64/security/pam_cracklib.so try_first_pass retry=3 difok=3  

authtok_type=you_must_enter_at_least_3_charactors type=  minlen=8  ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 dictpath=/usr/share/cracklib/pw_dict

password    sufficient    /lib64/security/pam_unix.so try_first_pass use_authtok nullok sha512 shadow remember=3

控制辨別符解釋：

optional The module is required for authentication if it is the only module listed

for a service.

required The module must succeed for access to be granted. PAM continues

to execute the remaining modules in the stack whether the module

succeeds or fails. PAM does not immediately inform the user of the

failure.

requisite The module must succeed for access to be granted. If the module

succeeds, PAM continues to execute the remaining modules in the

stack. However, if the module fails, PAM notifies the user immediately

and does not continue to execute the remaining modules in the stack.

sufficient If the module succeeds, PAM does not process any remaining modules

of the same operation type. If the module fails, PAM processes the

remaining modules of the same operation type to determine overall

success or failure.

四　密碼過期

/etc/login.defs 檔案，可以設定目前密碼的有效期限，如果想單獨為每個使用者設定不同期限使用chage指令．

五　一般的密碼政策

Password must meetthe following complexity requirements:

- Enforce password history: 5 passwords remembered

- Maximum password age: 90 days

- Not contain the user's account name or parts of the user's full name thatexceed two consecutive characters

- Be at least 7 characters in length

- Contain characters from three of the following four categories:

1. English uppercase characters (A through Z)

2. English lowercase characters (a through z)

3. Base 10 digits (0 through 9)

4. Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created

本文轉自chenzudao51CTO部落格，原文連結：http://blog.51cto.com/victor2016/1940209 ，如需轉載請自行聯系原作者