在Linux系統管理中,有時候需要設置賬號密碼複雜度(長度)、密碼過期策略等,這個主要是由/etc/login.defs參數文件中的一些參數控制的。它主要用於用戶賬號限制,裏面的參數主要有下面這些:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 60 #密碼最大有效期,此處參數PASS_MAX_DAYS爲60,表示60天后,密碼會過期。99999表示永不過期。
PASS_MIN_DAYS 0 #兩次修改密碼的最小間隔時間,0表示可以隨時修改賬號密碼
PASS_MIN_LEN 8 #密碼最小長度,對於root無效
PASS_WARN_AGE 7 #密碼過期前多少天開始提示
# Min/max values for automatic uid selection in useradd
#用戶ID的最小值
UID_MIN 500
#用戶ID的最大值
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#組ID最小值
GID_MIN 500
#組ID最大值
GID_MAX 60000
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#默認註釋狀態,如果定義了該變量,表示當刪除一個user時,應刪除/打印/ cron的工作等所擁有的用戶被刪除(作爲第一個參數傳遞)。
#USERDEL_CMD /usr/sbin/userdel_local
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#表示是否創建用戶home目錄。
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
#權限掩碼初始化值
UMASK 077
# This enables userdel to remove user groups if no members exist.
#該參數啓用,表示userdel刪除用戶時,如果該用戶用戶組如果沒有成員存在,則會刪除該用戶組
USERGROUPS_ENAB yes
#Use MD5 or DES to encrypt password? Red Hat use MD5 by default.
MD5_CRYPT_ENAB yes
#表示用戶密碼加密方式,此處表示用MD5加密密碼
ENCRYPT_METHOD MD5
修改了 /etc/login.defs下參數時,會立即生效,但是它只對修改後創建的用戶生效,對修改前創建的用戶無效。例如修改了PASS_MAX_DAYS參數等後,我們新建一個用戶test。
[root@DB-Server home]# useradd test
[root@DB-Server home]# cat /etc/shadow | grep test
test:!!:16971:0:60:7:::
[root@DB-Server home]# cat /etc/passwd | grep test
test:x:501:501::/home/test:/bin/bash
[root@DB-Server home]# chage -l test
Last password change : Jun 19, 2016 #上次修改密碼的時間
Password expires : Aug 18, 2016 # 密碼過期時間
Password inactive : never # 密碼失效時間
Account expires : never # 帳戶過期時間
Minimum number of days between password change : 0 #兩次改變密碼之間相距的最小天數
Maximum number of days between password change : 60 #兩次改變密碼相距的最大天數
Number of days of warning before password expires : 7 #在密碼過期之前警告的天數
[root@DB-Server home]#
因爲CREATE_HOME爲yes,所以創建用戶test後,就會默認在/home目錄下創建test目錄,這個可以在添加用戶的規則文件/etc/default/useradd裏面查看或修改
[root@DB-Server ~]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home #把用戶的主目錄建在/home中
INACTIVE=-1 #是否啓用帳號過期停權,-1表示不啓用
EXPIRE= #帳號終止日期,不設置表示不啓用;
SHELL=/bin/bash #所用SHELL的類型;
SKEL=/etc/skel #默認添加用戶的目錄默認文件存放位置;也就是說,當我們用adduser添加用戶時,用戶家目錄下的文件,都是從這個目錄中複製過去的
CREATE_MAIL_SPOOL=yes
如果此時,假如用戶test有特殊需求,要求這個賬號的密碼永不過期,此時就可以使用chage命令來處理(關於chage命令,詳見https://ipcmen.com/chage)
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : Aug 18, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 60
Number of days of warning before password expires : 7
You have new mail in /var/spool/mail/root
[root@DB-Server ~]# chage -M 99999 test
[root@DB-Server ~]# chage -l test
Last password change : Jun 19, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
[root@DB-Server ~]#
如上所示/etc/login.defs只是控制了賬號的最小長度以及控制密碼的有效期等,那麼Linux是如何實現對用戶的密碼的複雜度的檢查的呢?其實系統對密碼的控制是有兩部分組成:
1 cracklib
2 /etc/login.defs
pam_cracklib.so 纔是控制密碼複雜度的關鍵文件/lib/security/pam_cracklib.so, Redhat公司專門開發了cracklib這個安裝包來判斷密碼的複雜度。如果你想查看pam_cracklib的一些參數,那麼就使用下面命令
[root@DB-Server security]# man pam_cracklib
其中一些常見的參數爲
1、retry=N:改變輸入密碼的次數,默認值是1。就是說,如果用戶輸入的密碼強度不夠就退出。可以使用這個選項設置輸入的次數,以免一切都從頭再來
Prompt user at most N times before returning with error. The default is 1
2、minlen=N:新密碼最低可接受的長度,下面是關於這個命令的原文描述:
The minimum acceptable size for the new password (plus one if
credits are not disabled which is the default). In addition to the
number of characters in the new password, credit (of +1 in length)
is given for each different kind of character (other, upper, lower
and digit). The default for this parameter is 9 which is good for a
old style UNIX password all of the same type of character but may
be too low to exploit the added security of a md5 system. Note that
there is a pair of length limits in Cracklib itself, a "way too
short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to
allow passwords as short as 5 characters you should not use this
module.
3、difok=N:默認值爲10。這個參數設置允許的新、舊密碼相同字符的個數。不過,如果新密碼中1/2的字符和舊密碼不同,則新密碼被接受,下面是關於這個命令的原文描述:
This argument will change the default of 5 for the number of
characters in the new password that must not be present in the old
password. In addition, if 1/2 of the characters in the new password
are different then the new password will be accepted anyway.
4、dcredit=N:限制新密碼中至少有多少個數字,下面是關於這個命令的原文描述:
(N >= 0) This is the maximum credit for having digits in the new
password. If you have less than or N digits, each digit will count
+1 towards meeting the current minlen value. The default for
dcredit is 1 which is the recommended value for minlen less than
10.
(N < 0) This is the minimum number of digits that must be met for a
new password.
5、ucredit=N:限制新密碼中至少有多少個大寫字符。
6、lcredit=N:限制新密碼中至少有多少個小寫字符。
例如在/etc/pam.d/system-auth 在password使用pam_cracklib.so設置的最後附加dcredit=3 ucredit=2
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
此時如果你新建用戶的密碼不符合密碼複雜度,就會出現BAD PASSWORD: it is based on a dictionary word提示。
[root@DB-Server ~]# passwd ttt
Changing password for user ttt.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word