共计 6927 个字符,预计需要花费 18 分钟才能阅读完成。
自动写代码机器人,免费开通
这篇文章将为大家详细讲解有关 linux 如何实现账号密码安全加固,丸趣 TV 小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。
Linux 用户密码策略
Linux 用户密码的有效期, 是否可以修改密码可以通过 login.defs 文件控制. 对 login.defs 文件修只影响后续建立的用户, 如果要改变以前建立的用户的有效期等可以使用 chage 命令.
Linux 用户密码的复杂度可以通过 pam pam_cracklib module 或 pam_passwdqc module 控制, 两者不能同时使用. 个人感觉 pam_passwdqc 更好用.
/etc/login.defs 密码策略
PASS_MAX_DAYS 99999 # 密码的最大有效期, 99999: 永久有期
PASS_MIN_DAYS 0 #是否可修改密码,0 可修改, 非 0 多少天后可修改
PASS_MIN_LEN 5 #密码最小长度, 使用 pam_cracklib module, 该参数不再有效
PASS_WARN_AGE 7 # 密码失效前多少天在用户登录时通知用户修改密码
pam_cracklib 主要参数说明:
tretry=N: 重试多少次后返回密码修改错误
difok=N: 新密码必需与旧密码不同的位数
dcredit=N: N = 0: 密码中最多有多少个数字;N 0 密码中最少有多少个数字.
lcredit=N: 小宝字母的个数
ucredit= N 大宝字母的个数
credit=N: 特殊字母的个数
min >
pam_passwdqc 主要参数说明:
mix: 设置口令字最小长度,默认值是 mix=disabled。
max: 设置口令字的最大长度,默认值是 max=40。
passphrase: 设置口令短语中单词的最少个数,默认值是 passphrase=3,如果为 0 则禁用口令短语。
atch: 设置密码串的常见程序,默认值是 match=4。
similar: 设置当我们重设口令时,重新设置的新口令能否与旧口令相似,它可以是 similar=permit 允许相似或 similar=deny 不允许相似。
random: 设置随机生成口令字的默认长度。默认值是 random=42。设为 0 则禁止该功能。
enforce: 设置约束范围,enforce=none 表示只警告弱口令字,但不禁止它们使用;enforce=users 将对系统上的全体非根用户实行这一限制;enforce=everyone 将对包括根用户在内的全体用户实行这一限制。
non-unix: 它告诉这个模块不要使用传统的 getpwnam 函数调用获得用户信息,
retry: 设置用户输入口令字时允许重试的次数,默认值是 retry=3
密码复杂度通过 /etc/pam.d/system-auth 实施
如:
要使用 pam_cracklib 将注释去掉, 把 pam_passwdqc.so 注释掉即可.
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3 difok=1
password requisite /lib/security/$ISA/pam_passwdqc.so min=disabled,24,12,8,7 passphrase=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3 difok=1
新密码至少有一位与原来的不同.
加策略:
1、Linux 系统的用户帐号策略
编辑 /etc/pam.d/system-auth 添加如下语句。
auth required /lib/security/$ISA/pam_tally.so deny=5
account required pam_tally.so
该语句的解释:密码最大联系登录 6 次,超过只能联系管理员。
2、密码策略
2.1 编辑 /etc/login.defs 指定如下参数的值。
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
参数值得解释:PASS_MAX_DAYS(设置密码过期日期)
PASS_MIN_DAYS(设置密码最少更改日期)
PASS_MIN_LEN(设置密码最小长度)时指密码设置的最小长度,一般定义为 8 位以上
PASS_WARN_AGE(设置过期提前警告天数)
2.2 设置账户锁定登陆失败锁定次数、锁定时间
编辑 /etc/pam.d/system- auth 首先 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
#vi /etc/pam.d/system-auth
auth required pam_tally.so onerr=fail deny=6 unlock_time=300
解释:设置位密码连续六次锁定,锁定时间 300 秒
解锁用户 faillog -u 用户名》-r
2.3 设置口令的复杂程度。
编辑 /etc/pam.d/system- auth 首先 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
#vi /etc/pam.d/system-auth
找到 pam_cracklib.so 在后面加一些参数,
例:password requisite pam_cracklib.so minlen=8 ucredit=-2 lcredit=-2 dcredit=-5 ocredit=-1
意思为最少有 2 个大写字母,2 个小写字符,5 个数字,1 个符号
2.4 限制 su 的权限
如果你不想任何人能够用 su 作为 root,可以编辑 /etc/pam.d/su 文件,增加如下两行:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=isd
这时,仅 isd 组的用户可以用 su 作为 root。此后,如果你希望用户 admin 能够用 su 作为 root,可以运行如下命令
# usermod -G10 admin
如何设置 PAM 模块控制 Linux 密码策略
我们在使用 linux 系统设置密码的时候,经常遇到这样的问题,系统提示:您的密码太简单,或者您的密码是字典的一部分。那么系统是如何实现对用户的密码的复杂度的检查的呢?
系统对密码的控制是有两部分 (我知道的) 组成:
1 cracklib
2 login.defs
声明:login.defs 主要是控制密码的有效期。对密码进行时间管理。此处不细谈
login.defs –shadow password suite configuration
pam_cracklib.so 才是控制密码复杂度的关键文件
redhat 公司专门开发了 cracklib 这个安装包来判断密码的复杂度
可以 rpm -ql cracklib 查看
密码的复杂度的判断是通过 pam 模块控制来实现的,具体的模块是 pam_cracklibpam_cracklib 的参数介绍:
debug
This option makes the module write information to syslog(3) indicating the behavior of the module (this option does not write password information to the log file).
type=XXX
The default action is for the module to use the following prompts when requesting passwords: New UNIX password: and Retype UNIX password: . The default word UNIX can be replaced with this option.
retry=N
Prompt user at most N times before returning with error. The default is 1
difok=N
This argument will change the default of 5 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
difignore=N
How many characters should the password have before difok will be ignored. The default is 23.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a way too short limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
dcredit=N
(N = 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.
(N 0) This is the minimum number of digits that must be met for a new password.
ucredit=N
(N = 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.
(N 0) This is the minimum number of upper case letters that must be met for a new password.
lcredit=N
(N = 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.
(N 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N = 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.
(N 0) This is the minimum number of other characters that must be met for a new password.
use_authtok
This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
dictpath=/path/to/dict // 注:密码字典,这个是验证用户的密码是否是字典一部分的关键。
Path to the cracklib dictionaries.
cracklib 密码强度检测过程
首先检查密码是否是字典的一部分,如果不是,则进行下面的检查
密码强度检测过程
These checks are:
Palindrome
Is the new password a palindrome of the old one?
新密码是否旧密码的回文
Case Change Only
Is the new password the the old one with only a change of case?
新密码是否只是就密码改变了大小写
Similar
Is the new password too much like the old one?
新密码是否和旧密码很相似
This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.
To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.
Simple
Is the new password too small?
新密码是否太短
This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults.
Rotated
Is the new password a rotated version of the old password?
新密码的字符是否
关于“linux 如何实现账号密码安全加固”这篇文章就分享到这里了,希望以上内容可以对大家有一定的帮助,使各位可以学到更多知识,如果觉得文章不错,请把它分享出去让更多的人看到。
向 AI 问一下细节
丸趣 TV 网 – 提供最优质的资源集合!