注意:此文章中的方法对passwd命令重新设置密码时密码复杂度检测生效,系统登录时并不会按照此配置进行密码复杂度检测!
1、环境
操作系统 :Server 8.3 (衍生自 CentOS 8.3)
2、修改系统默认密码复杂度
从CentOS 8 开始,使用pwquality.so模块设置密码复杂度,在网上搜到的教你用pam_cracklib.so 模块进行设置的,对于CentOS8来说,已经不适用!
CentOS 8里面设置密码复杂度,通过修改/etc/security/pwquality.conf、/etc/pam.d/system-auth和/etc/pam.d/password-auth配置文件中进行修改。
2.1 修改 /etc/security/pwquality.conf
其实这个配置文件中每一项上面都有非常清楚的说明,稍微看一下就能明白其意。
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = -1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = -1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = -1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = -1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Whether to check for the words from the cracklib dictionary.
# The check is enabled if the value is not 0.
dictcheck = 1
#
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
usercheck = 1
#
# Whether the check is enforced by the PAM module and possibly other
# applications.
# The new password is rejected if it fails the check and the value is not 0.
# enforcing = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =强调一下:
- 这个配置文件的第一项是新密码不能包含之前旧密码的个数。
- 上面是我修改后的内容,其中设置密码中包含大、小写字母、数字、字符也可以通过设置minclass = 4来实现。
- 此处修改的密码复杂度是针对passwd修改密码时生效,系统登录时并不会按照此规则检测!
因为我要将修改固化到Server 8.3系统中,所以我需要修改软件包来实现。此处修改是在源码包libpwquality中进行修改的:修改的Patch文件内容如下:
diff --git a/src/pwquality.conf b/src/pwquality.conf
index 550036d..fa59aa0 100644
--- a/src/pwquality.conf
+++ b/src/pwquality.conf
@@ -8,26 +8,26 @@
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
-# minlen = 8
+minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
-# dcredit = 0
+dcredit = -1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
-# ucredit = 0
+ucredit = -1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
-# lcredit = 0
+lcredit = -1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
-# ocredit = 0
+ocredit = -1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
@@ -48,11 +48,11 @@
#
# Whether to check for the words from the cracklib dictionary.
# The check is enabled if the value is not 0.
-# dictcheck = 1
+dictcheck = 1
#
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
-# usercheck = 1
+usercheck = 1
#
# Whether the check is enforced by the PAM module and possibly other
# applications.
--2.2 修改/etc/pam.d/system-auth和password-auth
修改/etc/pam.d/system-auth和password-auth配置文件时,可以参考《CIS_CentOS_Linux_8_Benchmark_v1.0.1》文档中5.4.1章节内容。
经过在Server 8.3系统上测试,下面图中的"enforce-for-root"应该修改为“enforce_for_root”,密码复杂度才会对root生效。
因为我要将修改固化到Server 8.3系统中,所以涉及到修改/etc/pam.d/system-auth和password-auth的源码包。在此处因为粗心还导致过一个错误,如下:
[root@bogon ~]# rpm -qf /etc/pam.d/system-auth
pam-1.3.1-11.lns8.loongarch64
[root@bogon ~]# rpm -qf /etc/pam.d/password-auth
pam-1.3.1-11.lns8.loongarch64
[root@bogon ~]#我通过rpm -qf查看文件属于那个包,然后找到源码包去修改,结果是pam源码包里面还真有这两个文件,但是修改了之后,直接安装pam软件包可以看到修改,重新制作iso之后,发现修改不见了!!找了半天原因没有找到,痛定思痛,打开/etc/pam.d/system-auth,然后看到了第一行的内容
# Generated by authselect on Fri Aug 20 11:38:30 2021
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=5 even_deny_root unlock_time=900
auth required pam_faildelay.so delay=2000000
......干活还是要细心!!
authselect我的修改patch:
---
profiles/sssd/password-auth | 4 +++-
profiles/sssd/system-auth | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 3e1886f..7155a1f 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -1,4 +1,5 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent {include if "with-faillock"}
@@ -7,6 +8,7 @@ auth required pam_u2f.so cue nouserok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -20,7 +22,7 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
+password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 4b4b43e..95b8fff 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,5 +1,6 @@
{imply "with-smartcard" if "with-smartcard-required"}
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
@@ -12,6 +13,7 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -25,7 +27,7 @@ account sufficient pam_usertype.so issyste
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password requisite pam_pwquality.so try_first_pass local_users_only
+password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
--
2.27.0 上面diff看起来感觉烦,直接和官方改成一样即可,关键是修改sssd/目录下的。至于为什么,通过研究authselect这个命令即可得出一二。
注意:修改了authselect之后,直接安装rpm包是看不到/etc/pam.d/system-auth文件变化的!我重新制作ISO,安装之后能看到修改!
3 测试用例点设置
- 不包含大写字母
- 不包含小写字母
- 不包含特殊字符
- 不包含数字
- 包含用户名
- 包含字典信息
- 长度小于8位
- 正常符合要求的密码
4 结论
1)登录之后,使用passwd修改密码,对root和普通用户user1,密码复杂度均有效。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
