Password Policy/Complexity

原创

GabrielWu 2022-08-14 00:01:19 博主文章分类：Linux ©著作权

©著作权归作者所有：来自51CTO博客作者GabrielWu的原创作品，请联系作者获取转载授权，否则将追究法律责任

•Create a custom profile

Backup the current profile/changes:

authselect apply-changes -b --backup=sssd.backup

Create new custom profile name password-policy copied from existing profile sssd:

authselect create-profile password-policy -b sssd
authselect select custom/password-policy
authselect enable-feature with-mkhomedir
authselect enable-feature with-faillock

•Keep history of used passwords

Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

sed -i '/pam_pwquality.so/a\password    requisite                                    pam_pwhistory.so remember=5 use_authtok' /etc/authselect/custom/password-policy/system-auth
sed -i '/pam_pwquality.so/a\password    requisite                                    pam_pwhistory.so remember=5 use_authtok' /etc/authselect/custom/password-policy/password-auth

•Enforce root for password complexity

Insert/append the following option in pam_pwquality.so line under password section in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files:

enforce_for_root

•Set appropriate options in the file

sed -i '/minlen/a\minlen = 9' /etc/security/pwquality.conf
sed -i '/minclass/a\minclass = 4' /etc/security/pwquality.conf
sed -i '/dcredit/a\dcredit = -1' /etc/security/pwquality.conf
sed -i '/ucredit/a\ucredit = -1' /etc/security/pwquality.conf
sed -i '/ocredit/a\ocredit = -1' /etc/security/pwquality.conf
sed -i '/lcredit/a\lcredit = -1' /etc/security/pwquality.conf
sed -i '/maxrepeat/a\maxrepeat = 2' /etc/security/pwquality.conf
sed -i '/maxclassrepeat/a\maxclassrepeat = 2' /etc/security/pwquality.conf
sed -i '/difok/a\difok = 5' /etc/security/pwquality.conf
sed -i '/gecoscheck/a\gecoscheck = 0' /etc/security/pwquality.conf

•Lock user account after X failed login attempts

configuration file located at /etc/security/faillock.conf

sed -i '/^# silent/a\silent' /etc/security/faillock.conf
sed -i '/^# unlock_time/a\unlock_time = 900' /etc/security/faillock.conf
sed -i '/^# deny/a\deny = 5' /etc/security/faillock.conf

After modifying, run authselect apply-changes

authselect apply-changes

•Shadow password suite config

edit the /etc/login.defs

sed -i '/^PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/s/0/7/' /etc/login.defs
sed -i '/^PASS_MIN_LEN/s/5/9/' /etc/login.defs

Change for exist users

chage --maxdays 365 root
chage --mindays 7 root

上一篇：Enable HTTP Strict Transport Security (HSTS)

下一篇：Disable Weak Key Exchange Algorithm, CBC Mode in SSH

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯