您好,登錄后才能下訂單哦!
以下是通過man pam_cracklib查看獲得的解釋
一 PAM_CRACKLIB模塊可以做的密碼策略:
1.回文限制
2.字符數量限制
3.字符類型限制
4.重復字符限制
5.新密碼和老密碼重復字符數量限制
6.新密碼和老密碼的相似度記憶
7.記憶最近幾次的密碼不能和老密碼重復
authtok_type=XXX
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
The example word UNIX can be replaced with this option, by default it is empty.
當輸入新密碼時的默認提示
difok=N
This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
這個參數將改變新密碼不同于老密碼5個字符的默認設置
maxrepeat=N
Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.
拒絕包含超過N個連續相同的字符.默認是0,意思是不用檢查
maxsequence=N
Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are 12345
or fedcb. Note that most such passwords will not pass the
simplicity check unless the sequence is only a minor part of the password.
拒絕密碼包含大于N的單純字符序列.默認不檢查,注意大多數密碼不會通過簡單性檢查除非這個序列是密碼的次要部分
dictpath=/path/to/dict
Path to the cracklib dictionaries.
二 報錯實例
如果是和以前用過的相同就會報錯:
Password has been already used. Choose another.
如果新密碼和老密碼一樣就會提示:
Password unchanged
如果新密碼和老密碼相似度太高會提示:
is too similar to the old one
如果設置的復雜度不夠會提示:
BAD PASSWORD: it is too short
如果是比如密碼設置有連續的多個字符就會提示:
BAD PASSWORD: it is too simplistic/systematic
如果設密碼超過重復字符限制:
BAD PASSWORD: contains too many same characters consecutively
三 配置實例
password requisite /lib64/security/pam_cracklib.so try_first_pass retry=3 difok=3
authtok_type=you_must_enter_at_least_3_charactors type= minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 dictpath=/usr/share/cracklib/pw_dict
password sufficient /lib64/security/pam_unix.so try_first_pass use_authtok nullok sha512 shadow remember=3
控制標識符解釋:
optional The module is required for authentication if it is the only module listed
for a service.
required The module must succeed for access to be granted. PAM continues
to execute the remaining modules in the stack whether the module
succeeds or fails. PAM does not immediately inform the user of the
failure.
requisite The module must succeed for access to be granted. If the module
succeeds, PAM continues to execute the remaining modules in the
stack. However, if the module fails, PAM notifies the user immediately
and does not continue to execute the remaining modules in the stack.
sufficient If the module succeeds, PAM does not process any remaining modules
of the same operation type. If the module fails, PAM processes the
remaining modules of the same operation type to determine overall
success or failure.
四 密碼過期
/etc/login.defs 文件,可以設置當前密碼的有效期限,如果想單獨為每個用戶設置不同期限使用chage命令.
五 一般的密碼策略
Password must meetthe following complexity requirements:
- Enforce password history: 5 passwords remembered
- Maximum password age: 90 days
- Not contain the user's account name or parts of the user's full name thatexceed two consecutive characters
- Be at least 7 characters in length
- Contain characters from three of the following four categories:
1. English uppercase characters (A through Z)
2. English lowercase characters (a through z)
3. Base 10 digits (0 through 9)
4. Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。