在Linux系統管理中,有時候需要設置賬號密碼復雜度(長度)、密碼過期策略等,這個主要是由/etc/login.defs參數文件中的一些參數控制的的。它主要用於用戶賬號限制,裡面的參數主要有下面一些:
/etc/login.defs:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 60 #密碼最大有效期,此處參數PASS_MAX_DAYS為60,表示60天後,密碼會過期。99999表示永不過期。
PASS_MIN_DAYS 0 #兩次修改密碼的最小間隔時間,0表示可以隨時修改賬號密碼
PASS_MIN_LEN 8 #密碼最小長度,對於root無效
PASS_WARN_AGE 7 #密碼過期前多少天開始提示
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
UID_MIN #用戶ID的最小值
UID_MAX #用戶ID的最大值
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
GID_MIN #組ID最小值
GID_MAX #組ID最大值
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
USERDEL_CMD #默認注釋狀態,如果定義了該變量,表示當刪除一個user時,應刪除/打印/ cron的工作等所擁有的用戶被刪除(作為第一個參數傳遞)。
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
CREATE_HOME #表示是否創建用戶home目錄。
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
UMASK #權限掩碼初始化值
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
USERGROUPS_ENAB #該參數啟用,表示userdel刪除用戶時,如果該用戶用戶組如果沒有成員存在,則會刪除該用戶組
# Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes
ENCRYPT_METHOD MD5
ENCRYPT_METHOD #表示用戶密碼加密方式,此處表示用MD5加密密碼
修改了 /etc/login.defs下參數時,會立即生效,但是它只對修改後創建的用戶生效。例如修改了PASS_MAX_DAYS參數等後,我們新建一個用戶test。
[root@DB-Server home]# useradd test
[root@DB-Server home]# cat /etc/shadow | grep test
test:!!:16971:0:60:7:::
[root@DB-Server home]# cat /etc/passwd | grep test
test:x:501:501::/home/test:/bin/bash
[root@DB-Server home]# chage -l test
Last password change : Jun 19, 2016
Password expires : Aug 18, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
[root@DB-Server home]#
因為CREATE_HOME為yes,所以創建用戶test後,就會默認在/home目錄下創建test目錄,這個可以在添加用戶的規則文件/etc/default/useradd裡面查看或修改
[root@DB-Server ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home #把用戶的主目錄建在/home中
INACTIVE=-1 #是否啟用帳號過期停權,-1表示不啟用
EXPIRE= #帳號終止日期,不設置表示不啟用;
SHELL=/bin/bash #所用SHELL的類型;
SKEL=/etc/skel #默認添加用戶的目錄默認文件存放位置;也就是說,當我們用adduser添加用戶時,用戶家目錄下的文件,都是從這個目錄中復制過去的
CREATE_MAIL_SPOOL=yes
如果此時,假如用戶test有特殊需求,要求這個賬號的密碼永不過期,此時就可以使用chage命令來處理(關於chage命令,此處不做展開)
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : Aug 18, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# chage -M 99999 test
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@DB-Server ~]#
如上所示/etc/login.defs只是控制了賬號的最小長度以及控制密碼的有效期等,那麼Linux是如何實現對用戶的密碼的復雜度的檢查的呢?其實系統對密碼的控制是有兩部分組成:
1 cracklib
2 /etc/login.defs
pam_cracklib.so 才是控制密碼復雜度的關鍵文件/lib/security/pam_cracklib.so, Redhat公司專門開發了cracklib這個安裝包來判斷密碼的復雜度。如果你想查看pam_cracklib的一些參數,那麼就使用下面命令
[root@DB-Server security]# man pam_cracklib
其中一些常見的參數為
retry=N
改變輸入密碼的次數,默認值是1。就是說,如果用戶輸入的密碼強度不夠就退出。可以使用這個選項設置輸入的次數,以免一切都從頭再來
Prompt user at most N times before returning with error. The
default is 1
minlen=N
新密碼最低可接受的長度
The minimum acceptable size for the new password (plus one if
credits are not disabled which is the default). In addition to the
number of characters in the new password, credit (of +1 in length)
is given for each different kind of character (other, upper, lower
and digit). The default for this parameter is 9 which is good for a
old style UNIX password all of the same type of character but may
be too low to exploit the added security of a md5 system. Note that
there is a pair of length limits in Cracklib itself, a "way too
short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to
allow passwords as short as 5 characters you should not use this
module.
difok=N
默認值為10。這個參數設置允許的新、舊密碼相同字符的個數。不過,如果新密碼中1/2的字符和舊密碼不同,則新密碼被接受
This argument will change the default of 5 for the number of
characters in the new password that must not be present in the old
password. In addition, if 1/2 of the characters in the new password
are different then the new password will be accepted anyway.
dcredit=N
限制新密碼中至少有多少個數字
(N >= 0) This is the maximum credit for having digits in the new
password. If you have less than or N digits, each digit will count
+1 towards meeting the current minlen value. The default for
dcredit is 1 which is the recommended value for minlen less than
10.
(N < 0) This is the minimum number of digits that must be met for a
new password.
ucredit=N
限制新密碼中至少有多少個大寫字符。
lcredit=N
限制新密碼中至少有多少個小寫字符。
例如在/etc/pam.d/system-auth 在password使用pam_cracklib.so設置的最後附加dcredit=3 ucredit=2
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
此時如果你新建用戶的密碼不符合密碼復雜度,就會出現BAD PASSWORD: it is based on a dictionary word提示。
[root@DB-Server ~]# passwd ttt
Changing password for user ttt.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
參考資料:
http://www.cnblogs.com/xd502djj/archive/2011/11/23/2260094.html
http://blog.csdn.net/lhfeng/article/details/6033598
http://xxxxxx/Linuxjc/1135121.html TechArticle