标签归档:密码策略

How to enforce password complexity on Linux

On most Linux systems, you can use PAM (the “pluggable authentication module”) to enforce password complexity. If you have a file named /etc/pam.d/system-auth on RedHat (/etc/pam.d/common-password on Debian systems), look for lines that look like those shown below.

$ grep password /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

That’s what you should expect to see on a new system.

By default, passwords must have at least six characters (see /etc/login.defs for possible changes). This is hardly long enough by current standards to consider passwords to be secure. You will have a much stronger password complexity policy if you change the first line to something like this, requiring longer passwords and ensuring a degree of complexity as well.

password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1
ucredit=1 dcredit=1 ocredit=1 difok=4

Here’s what each of the available parameters does:

try_first_pass = sets the number of times users can attempt setting a good
  password before the passwd command aborts
minlen = establishes a measure of complexity related to the password length
  (more in a moment on this)
lcredit = sets the minimum number of required lowercase letters
ucredit = sets the minimum number of required uppercase letters
dcredit = sets the minimum number of required digits
ocredit = sets the minimum number of required other characters
difok = sets the number of characters that must be different from those in the
   previous password

That said, minlen is actually a measure of complexity, not simply length. It specifies a complexity score that must be reached for a password to be deemed as acceptable. If each character in a password added one to the complexity count, then minlen would simply represent the password length but, if some characters count more than once, the calculation is more complex. So let’s see how this works.
继续阅读

如何在 Linux 上设置密码策略

用户帐号管理是系统管理员最重要的工作之一。而密码安全是系统安全中最受关注的一块。在本教程中,我将为大家介绍如何在 Linux 上设置密码策略

假设你已经在你的 Linux 系统上使用了 PAM (Pluggable Authentication Modules,插入式验证模块),因为这些年所有的 Linux 发行版都在使用它。 继续阅读