密碼設(shè)置復(fù)雜度和期限

以下是通過man pam_cracklib查看獲得的解釋
一　PAM_CRACKLIB模塊可以做的密碼策略：
1.回文限制
2.字符數(shù)量限制
3.字符類型限制
4.重復(fù)字符限制
5.新密碼和老密碼重復(fù)字符數(shù)量限制
6.新密碼和老密碼的相似度記憶
7.記憶最近幾次的密碼不能和老密碼重復(fù)

authtok_type=XXX
           The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
           The example word UNIX can be replaced with this option, by default it is empty.
           當(dāng)輸入新密碼時的默認(rèn)提示
           
difok=N
           This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
           這個參數(shù)將改變新密碼不同于老密碼5個字符的默認(rèn)設(shè)置
maxrepeat=N
           Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.
           拒絕包含超過N個連續(xù)相同的字符．默認(rèn)是0，意思是不用檢查

maxsequence=N
           Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are 12345
           or fedcb. Note that most such passwords will not pass the
           simplicity check unless the sequence is only a minor part of the password.           
           拒絕密碼包含大于N的單純字符序列．默認(rèn)不檢查，注意大多數(shù)密碼不會通過簡單性檢查除非這個序列是密碼的次要部分
dictpath=/path/to/dict
           Path to the cracklib dictionaries.           

           
二　報錯實例           
如果是和以前用過的相同就會報錯：
Password has been already used. Choose another.
如果新密碼和老密碼一樣就會提示：
Password unchanged
如果新密碼和老密碼相似度太高會提示：
is too similar to the old one
如果設(shè)置的復(fù)雜度不夠會提示：
BAD PASSWORD: it is too short
如果是比如密碼設(shè)置有連續(xù)的多個字符就會提示：
BAD PASSWORD: it is too simplistic/systematic
如果設(shè)密碼超過重復(fù)字符限制：

BAD PASSWORD: contains too many same characters consecutively

三　配置實例

password    requisite     /lib64/security/pam_cracklib.so try_first_pass retry=3 difok=3  
authtok_type=you_must_enter_at_least_3_charactors type=  minlen=8  ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 dictpath=/usr/share/cracklib/pw_dict
password    sufficient    /lib64/security/pam_unix.so try_first_pass use_authtok nullok sha512 shadow remember=3

控制標(biāo)識符解釋：
optional The module is required for authentication if it is the only module listed
for a service.
required The module must succeed for access to be granted. PAM continues
to execute the remaining modules in the stack whether the module
succeeds or fails. PAM does not immediately inform the user of the
failure.
requisite The module must succeed for access to be granted. If the module
succeeds, PAM continues to execute the remaining modules in the
stack. However, if the module fails, PAM notifies the user immediately
and does not continue to execute the remaining modules in the stack.
sufficient If the module succeeds, PAM does not process any remaining modules
of the same operation type. If the module fails, PAM processes the
remaining modules of the same operation type to determine overall
success or failure.

四　密碼過期

/etc/login.defs 文件，可以設(shè)置當(dāng)前密碼的有效期限，如果想單獨為每個用戶設(shè)置不同期限使用chage命令．

五　一般的密碼策略

Password must meetthe following complexity requirements:
- Enforce password history: 5 passwords remembered
- Maximum password age: 90 days
- Not contain the user's account name or parts of the user's full name thatexceed two consecutive characters
- Be at least 7 characters in length

- Contain characters from three of the following four categories:
1. English uppercase characters (A through Z)
2. English lowercase characters (a through z)
3. Base 10 digits (0 through 9)
4. Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created