• Linux是对用户的密码的复杂度要求设置【转】


    那么Linux是如何实现对用户的密码的复杂度的检查的呢?其实系统对密码的控制是有两部分组成:

    1 cracklib

    2 /etc/login.defs

    pam_cracklib.so 才是控制密码复杂度的关键文件/lib/security/pam_cracklib.so, Redhat公司专门开发了cracklib这个安装包来判断密码的复杂度。如果你想查看pam_cracklib的一些参数,那么就使用下面命令

    [root@DB-Server security]# man pam_cracklib

    其中一些常见的参数为
     
    retry=N
    改变输入密码的次数,默认值是1。就是说,如果用户输入的密码强度不够就退出。可以使用这个选项设置输入的次数,以免一切都从头再来
     
                  Prompt user at most N times before returning with error. The
                  default is 1
     
    minlen=N
    新密码最低可接受的长度
     
                  The minimum acceptable size for the new password (plus one if
                  credits are not disabled which is the default). In addition to the
                  number of characters in the new password, credit (of +1 in length)
                  is given for each different kind of character (other, upper, lower
                  and digit). The default for this parameter is 9 which is good for a
                  old style UNIX password all of the same type of character but may
                  be too low to exploit the added security of a md5 system. Note that
                  there is a pair of length limits in Cracklib itself, a "way too
                  short" limit of 4 which is hard coded in and a defined limit (6)
                  that will be checked without reference to minlen. If you want to
                  allow passwords as short as 5 characters you should not use this
                  module.
     
    difok=N
    默认值为10。这个参数设置允许的新、旧密码相同字符的个数。不过,如果新密码中1/2的字符和旧密码不同,则新密码被接受
     
     
                  This argument will change the default of 5 for the number of
                  characters in the new password that must not be present in the old
                  password. In addition, if 1/2 of the characters in the new password
                  are different then the new password will be accepted anyway.
     
    dcredit=N
    限制新密码中至少有多少个数字
     
                  (N >= 0) This is the maximum credit for having digits in the new
                  password. If you have less than or N digits, each digit will count
                  +1 towards meeting the current minlen value. The default for
                  dcredit is 1 which is the recommended value for minlen less than
                  10.
     
                  (N < 0) This is the minimum number of digits that must be met for a
                  new password.
     
    ucredit=N
    限制新密码中至少有多少个大写字符。
     
    lcredit=N
    限制新密码中至少有多少个小写字符。

    例如在/etc/pam.d/system-auth 在password使用pam_cracklib.so设置的最后附加dcredit=3 ucredit=2

    password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    required      pam_deny.so

    此时如果你新建用户的密码不符合密码复杂度,就会出现BAD PASSWORD: it is based on a dictionary word提示。

    [root@DB-Server ~]# passwd ttt
    Changing password for user ttt.
    New UNIX password: 
    BAD PASSWORD: it is based on a dictionary word

    转自

    Linux账户密码过期安全策略设置 - 潇湘隐者 - 博客园
    http://www.cnblogs.com/kerrycode/p/5600525.html

  • 相关阅读:
    vue 路由嵌套 (子路由跳转报错或者失效解决方法)
    vue-cli3主题色系统
    vue项目哀悼日
    el-upload 文件上传显示进度
    课表
    uni-app 开发钉钉小程序
    Linux/Centos/Ubuntu crontab备份数据库
    【转】鲁迅为厦大题写校名,为啥4个字错了3个?专家:鲁迅故意写错的。
    计数单位资料汇总(个十百千兆京...,分厘毫丝忽微纤沙尘埃...)
    【转】如意算盘:中国的第五大发明
  • 原文地址:https://www.cnblogs.com/paul8339/p/7145883.html
Copyright © 2020-2023  润新知