https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/index
https://blog.csdn.net/wh211212/article/details/53992772
配置密码强度
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/authconfig-pwd
[root@n9e ~]# cat /etc/security/pwquality.conf |grep -v ^#minlen = 8minclass = 1maxrepeat = 0maxclassrepeat = 0lcredit = -1ucredit = -1dcredit = -1ocredit = -1[root@n9e ~]#
最小长度为9个字符,不允许字符或类重复两次以上,并且要求同时使用大写和特殊字符
[root@n9e ~]# authconfig --passminlen=9 --passminclass=3 --passmaxrepeat=2 --passmaxclassrepeat=2 --enablerequpper --enablereqother --update[root@n9e ~]#[root@n9e ~]# cat /etc/security/pwquality.conf |grep -v ^#minlen = 9minclass = 3maxrepeat = 2maxclassrepeat = 2lcredit = -1ucredit = -1dcredit = -1ocredit = -1[root@n9e ~]#
[root@n9e ~]# echo "1qaz2wsx#EDC" | pwscorePassword quality check failed:The password contains more than 2 characters of the same class consecutively[root@n9e ~]#
[liwm@n9e ~]$ passwdChanging password for user liwm.Changing password for liwm.(current) UNIX password:New password:BAD PASSWORD: The password is the same as the old oneNew password:BAD PASSWORD: The password contains more than 2 characters of the same class consecutivelyNew password:BAD PASSWORD: The password contains more than 2 characters of the same class consecutivelypasswd: Have exhausted maximum number of retries for service[liwm@n9e ~]$
[liwm@n9e ~]$ passwdChanging password for user liwm.Changing password for liwm.(current) UNIX password:New password:BAD PASSWORD: The password is shorter than 9 charactersNew password:BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary wordNew password:BAD PASSWORD: The password contains more than 2 characters of the same class consecutivelypasswd: Have exhausted maximum number of retries for service[liwm@n9e ~]$
# set 8 for minimum password length[root@linuxprobe~]# authconfig --passminlen=8 --update# the parameter is set in a config below[root@linuxprobe~]# grep "^minlen" /etc/security/pwquality.confminlen = 8# 在新密码中设置同一类的允许连续字符的最大数目# set 4 for maximum number of allowed consecutive characters of the same class[root@linuxprobe~]# authconfig --passmaxclassrepeat=4 --update# the parameter is set in a config below[root@linuxprobe~]# grep "^maxclassrepeat" /etc/security/pwquality.confmaxclassrepeat = 4# 在新密码中至少需要一个小写字符。[root@linuxprobe~]# authconfig --enablereqlower --update# the parameter is set in a config below# (if you'd like to edit the value, edit it with vi and others)[root@linuxprobe~]# grep "^lcredit" /etc/security/pwquality.conflcredit = -1# 在新密码中至少需要一个大写字符[root@linuxprobe~]# authconfig --enablerequpper --update# the parameter is set in a config below# (if you'd like to edit the value, edit it with vi and others)[root@linuxprobe~]# grep "^ucredit" /etc/security/pwquality.confucredit = -1# 在新密码中至少需要一个数字[root@linuxprobe~]# authconfig --enablereqdigit --update# the parameter is set in a config below# (if you'd like to edit the value, edit it with vi and others)[root@linuxprobe~]# grep "^dcredit" /etc/security/pwquality.confdcredit = -1# 密码包括至少一个特殊字符[root@linuxprobe~]# authconfig --enablereqother --update# the parameter is set in a config below# (if you'd like to edit the value, edit it with vi and others)[root@linuxprobe~]# grep "^ocredit" /etc/security/pwquality.confocredit = -1# 在新密码中设置单调字符序列的最大长度。 (ex⇒'12345','fedcb')[root@linuxprobe~]# vi /etc/security/pwquality.conf# add to the endmaxsequence = 3# 设置新密码中不能出现在旧密码中的字符数[root@linuxprobe~]# vi /etc/security/pwquality.conf# add to the enddifok = 5# 检查来自用户passwd条目的GECOS字段的长度超过3个字符的字是否包含在新密码中。[root@linuxprobe~]# vi /etc/security/pwquality.conf# add to the endgecoscheck = 1# 设置不能包含在密码中的Ssace分隔的单词列表[root@linuxprobe~]# vi /etc/security/pwquality.conf# add to the endbadwords = denywords1 denywords2 denywords3# 为新密码设置hash / crypt算法。 (默认为sha512)# show current algorithm[root@linuxprobe~]# authconfig --test | grep hashingpassword hashing algorithm is md5# chnage algorithm to sha512[root@linuxprobe~]# authconfig --passalgo=sha512 --update[root@linuxprobe~]# authconfig --test | grep hashingpassword hashing algorithm is sha512
Options:-h, --help 帮助--enableshadow, --useshadow 默认启用屏蔽口令--disableshadow 默认禁用屏蔽口令--enablemd5, --usemd5 默认启用 MD5 口令--disablemd5 默认禁用 MD5 口令--passalgo=<descrypt|bigcrypt|md5|sha256|sha512> 新密码使用加密算法--enablenis 默认使用 NIS 用户信息--disablenis 默认禁用 NIS 用户信息--nisdomain=<domain> 默认的 NIS 域--nisserver=<server> 默认的 NIS 服务器--enableldap 默认使用 LDAP 用户信息--disableldap 默认禁用 LDAP 用户信息--enableldapauth 默认使用 LDAP 验证--disableldapauth 默认禁用 LDAP 验证--ldapserver=<server> 默认的 NIS 服务器hostname或URI--ldapbasedn=<dn> 默认的基于 DN 的 LDAP--enableldaptls, --enableldapstarttlsLDAP 使用 TLS--disableldaptls, --disableldapstarttlsLDAP 不使用 TLS--enablerfc2307bis enable use of RFC-2307bis schema for LDAP user information lookups--disablerfc2307bis disable use of RFC-2307bis schema for LDAP user information lookups--ldaploadcacert=<URL> 从这个 URL 加载 CA 证书--enablesmartcard 默认状态为启用智能卡验证--disablesmartcard 默认禁用智能卡验证--enablerequiresmartcard 默认需要使用验证智能卡验证--disablerequiresmartcard 默认不需要使用智能卡验证--smartcardmodule=<module> 默认使用的智能卡模块--smartcardaction=<0=Lock|1=Ignore>删除智能卡时进行的操作--enablefingerprint 默认启用指纹验证--disablefingerprint 默认禁用指纹验证--enableecryptfs enable automatic per-user ecryptfs--disableecryptfs disable automatic per-user ecryptfs--enablekrb5 默认启用 kerberos 验证--disablekrb5 默认禁用 kerberos 验证--krb5kdc=<server> 默认的 kerberos KDC--krb5adminserver=<server>默认的 kerberos 管理服务器--krb5realm=<realm> 默认的 kerberos 域--enablekrb5kdcdns 启用 DNS 来查找 kerberos KDCs--disablekrb5kdcdns 禁用 DNS 来查找 kerberos KDCs--enablekrb5realmdns 启用 DNS 来查找 kerberos 域--disablekrb5realmdns 禁用 DNS 来查找 kerberos 域--enablewinbind 默认启用 winbind 来获取用户信息--disablewinbind 默认禁用 winbind 来获取用户信息--enablewinbindauth 默认启用 winbind 进行验证--disablewinbindauth 默认禁用 winbind 进行验证--smbsecurity=<user|server|domain|ads>samba 和 winbind 使用的安全模式--smbrealm=<realm> 当 security=ads 时,samba 和 winbind 的默认域--smbservers=<servers> 用来验证的服务器名称--smbworkgroup=<workgroup>验证服务器所在的组--smbidmaprange=<lowest-highest>, --smbidmapuid=<lowest-highest>, --smbidmapgid=<lowest-highest>uid range winbind will assign to domain or ads users--winbindseparator=<\>the character which will be used to separate the domain and user part of winbind-created user names if winbindusedefaultdomain is not enabled--winbindtemplatehomedir=</home/%D/%U>winbind 创建的用户将会作为主目录的目录--winbindtemplateprimarygroup=<nobody>winbind 创建的用户将会作为主要组群的组群--winbindtemplateshell=</bin/false>winbind创建的用户的shell将作为登录shell--enablewinbindusedefaultdomainconfigures winbind to assume that users with no domain in their user names are domain users--disablewinbindusedefaultdomainconfigures winbind to assume that users with no domain in their user names are not domain users--enablewinbindoffline 将 winbind 配置为允许离线登录--disablewinbindoffline 将 winbind 配置为阻止离线登录--enablewinbindkrb5 使能winbind用Kerberos 5验证--disablewinbindkrb5 使能winbind用默认的方法验证--winbindjoin=<Administrator>立即作为系统管理员加入 winbind 域或 ads域--enableipav2 enable IPAv2 for user information and authentication by default--disableipav2 disable IPAv2 for user information and authentication by default--ipav2domain=<domain>the IPAv2 domain the system should be part of--ipav2realm=<realm> the realm for the IPAv2 domain--ipav2server=<servers>the server for the IPAv2 domain--enableipav2nontp do not setup the NTP against the IPAv2 domain--disableipav2nontp setup the NTP against the IPAv2 domain (default)--ipav2join=<account>join the IPAv2 domain as this account--enablewins 启用 wins 进行主机名解析--disablewins 禁用 wins 进行主机名解析--enablepreferdns prefer dns over wins or nis for hostname resolution--disablepreferdns do not prefer dns over wins or nis for hostname resolution--enablehesiod 默认启用 hesiod 来获取用户信息--disablehesiod 默认禁用 hesiod 来获取用户信息--hesiodlhs=<lhs> 默认的 hesiod LHS--hesiodrhs=<rhs> 默认的 hesiod RHS--enablesssd enable SSSD for user information by default with manually managed configuration--disablesssd disable SSSD for user information by default (still used for supported configurations)--enablesssdauth enable SSSD for authentication by default with manually managed configuration--disablesssdauth disable SSSD for authentication by default (still used for supported configurations)--enableforcelegacy never use SSSD implicitly even for supported configurations--disableforcelegacy use SSSD implicitly if it supports the configuration--enablecachecreds enable caching of user credentials in SSSD by default--disablecachecreds disable caching of user credentials in SSSD by default--enablecache 默认启用缓存用户信息,当SSSD使能时,自动失能--disablecache 默认禁用缓存用户信息--enablelocauthorize 本地用户可以使用本地授权--disablelocauthorize 通过远端服务授权本地用户--enablepamaccess 在帐户验证过程中检查 access.conf--disablepamaccess 在帐户验证过程中不检查 access.conf--enablesysnetauth 通过网络服务认证的系统帐号--disablesysnetauth 仅通过本地文件认证的系统帐号--enablemkhomedir 使能用户第一次登录创建家目录--disablemkhomedir 失能用户第一次登录创建家目录++++++++++++++++++++下面的设置,其实是修改/etc/security/pwquality.conf配置文件--passminlen=<number> 最小密码长度--passminclass=<number> 密码中字符最小个数--passmaxrepeat=<number> 密码中相同连续字符的最大个数--passmaxclassrepeat=<number> 密码中同类连续字符的最大个数--enablereqlower 使能密码中至少包含一个小写字母--disablereqlower 失能密码中至少包含一个小写字母--enablerequpper 使能密码中至少包含一个大写字母--disablerequpper 失能密码中至少包含一个大写字母--enablereqdigit 使能密码中至少包含一个数字--disablereqdigit 失能密码中至少包含一个数字--enablereqother 使能密码中至少包含一个特殊字符--disablereqother 失能密码中至少包含一个特殊字符++++++++++++++++++--nostart do not start/stop portmap, ypbind, and nscd--test 不更新配置文件,只打印配置信息--update, --kickstart 更新配置文件--updateall 更新所有配置文件--probe probe network for defaults and print them--savebackup=<name> 备份所有配置文件--restorebackup=<name> 恢复配置文件的备份--restorelastbackup 恢复备份配置文件前,预览变更配置
若有收获,就点个赞吧
0 人点赞
