ubuntu修改密码及密码复杂度策略设置

本教程参考：Ubuntu修改密码及密码复杂度策略设置_common-password-CSDN博客

文章目录

一、密码复杂度策略

注意！！！设置复杂度策略之前应该先将当前系统用户的密码修改为符合复杂度策略的密码，如果不符合，设置完复杂度策略之后用户将有不能登录的风险，需要提前合理规划==

1、安装cracklib模块

安装PAM的cracklib模块，cracklib能提供额外的密码检查能力

1	sudo apt-get install libpam-cracklib

备注：如果没有使用上方的则可能使用是/etc/security/pwquality.conf

2、相关策略设置

注意事项##################

测试时需要使用普通用户修改密码验证
因为root 默认不会严格执行密码复杂度策略你随便输弱密码，它也可能通过 👉 这是“设计如此”，不是没生效

如果你想让 root 也受限制（重点）需要添加enforce_for_root

# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code

sudo vim /etc/pam.d/common-password

默认配置：

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;

修改密码策略（测试修改密码可用这个尝试`G7@kLm#2Qx!9`）

禁止使用旧密码：找到如下配置，并在后面添加remember=5，表示禁止使用最近用过的5个密码，己使用过的密码会被保存在/etc/security/opasswd
设置最短密码长度：找到如下配置，并将默认的minlen=8改为minlen=10，表示最短密码长度需要为10
设置密码复杂度：找到如下配置，在后面添加ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1，它表示密码必须至少包含一个大写字母（ucredit），一个小写字母（lcredit），一个数字（dcredit）和一个标点符号（ocredit），具体按照需要修改即可

# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code

备注：设置完成后如果修改密码密码过于简单会报错如下

root@ceph1:~# useradd testuser
root@ceph1:~# passwd testuser
New password: 
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: password updated successfully
root@ceph1:~# su testuser
$ passwd
Changing password for testuser.
Current password: 
New password: 
BAD PASSWORD: it is WAY too short
New password: 
BAD PASSWORD: it is WAY too short
New password: 
BAD PASSWORD: it is WAY too short
123
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged

设置密码过期期限

找到如下配置，默认为9999天相当于不限制，到期之前7天会提示用户修改密码，按照需求实际修改即可

原配置：

#
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

修改过期时间

sudo vim /etc/login.defs

PASS_MAX_DAYS   180
PASS_MIN_DAYS   0
PASS_WARN_AGE   14