password policy
A. password complexity
# more /etc/pam.d/system-auth
- Set Minimum Password Length to 10
- Enforce not to repeat already used password.
# grep pam_cracklib.so /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3
# grep pam_unix.so /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
"remember=5" - will stores old password on /etc/security/opasswd.
B. Set Password Expiration date
# grep PASS /etc/login.defs
# Get account age information
# chage -l user1
-> Set account password expiration date
# chage -E 12/30/2015 -m 5 -M 90 -I 30 -W 14 jsmith
-E = Expired date [ or YYYY-MM-DD ], if set -E = -1, account will not expire.
-m = minimum number of days between password changes. 0 mean password can be change any time.
-M = maximum number of days a password is valid
-I = number of days of inactivity after a password has expired before the account is locked
-W = number of days of warning before a password change is required
A. password complexity
# more /etc/pam.d/system-auth
- Set Minimum Password Length to 10
- Enforce not to repeat already used password.
# grep pam_cracklib.so /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3
# grep pam_unix.so /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
"remember=5" - will stores old password on /etc/security/opasswd.
B. Set Password Expiration date
# grep PASS /etc/login.defs
# Get account age information
# chage -l user1
-> Set account password expiration date
# chage -E 12/30/2015 -m 5 -M 90 -I 30 -W 14 jsmith
-E = Expired date [ or YYYY-MM-DD ], if set -E = -1, account will not expire.
-m = minimum number of days between password changes. 0 mean password can be change any time.
-M = maximum number of days a password is valid
-I = number of days of inactivity after a password has expired before the account is locked
-W = number of days of warning before a password change is required
No comments:
Post a Comment