Linux是對用戶的密碼的復雜度要求設置【轉】

那么Linux是如何實現對用戶的密碼的復雜度的檢查的呢？其實系統對密碼的控制是有兩部分組成：

1 cracklib

2 /etc/login.defs

pam_cracklib.so 才是控制密碼復雜度的關鍵文件/lib/security/pam_cracklib.so， Redhat公司專門開發了cracklib這個安裝包來判斷密碼的復雜度。如果你想查看pam_cracklib的一些參數，那么就使用下面命令

[root@DB-Server security]# man pam_cracklib

其中一些常見的參數為

retry=N
改變輸入密碼的次數，默認值是1。就是說，如果用戶輸入的密碼強度不夠就退出。可以使用這個選項設置輸入的次數，以免一切都從頭再來
 
              Prompt user at most N times before returning with error. The
              default is 1
 
minlen=N
新密碼最低可接受的長度
 
              The minimum acceptable size for the new password (plus one if
              credits are not disabled which is the default). In addition to the
              number of characters in the new password, credit (of +1 in length)
              is given for each different kind of character (other, upper, lower
              and digit). The default for this parameter is 9 which is good for a
              old style UNIX password all of the same type of character but may
              be too low to exploit the added security of a md5 system. Note that
              there is a pair of length limits in Cracklib itself, a "way too
              short" limit of 4 which is hard coded in and a defined limit (6)
              that will be checked without reference to minlen. If you want to
              allow passwords as short as 5 characters you should not use this
              module.
 
difok=N
默認值為10。這個參數設置允許的新、舊密碼相同字符的個數。不過，如果新密碼中1/2的字符和舊密碼不同，則新密碼被接受
 
 
              This argument will change the default of 5 for the number of
              characters in the new password that must not be present in the old
              password. In addition, if 1/2 of the characters in the new password
              are different then the new password will be accepted anyway.
 
dcredit=N
限制新密碼中至少有多少個數字
 
              (N >= 0) This is the maximum credit for having digits in the new
              password. If you have less than or N digits, each digit will count
              +1 towards meeting the current minlen value. The default for
              dcredit is 1 which is the recommended value for minlen less than
              10.
 
              (N < 0) This is the minimum number of digits that must be met for a
              new password.
 
ucredit=N
限制新密碼中至少有多少個大寫字符。
 
lcredit=N
限制新密碼中至少有多少個小寫字符。

 

例如在/etc/pam.d/system-auth 在password使用pam_cracklib.so設置的最后附加dcredit=3 ucredit=2

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=3 ucredit=2
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

此時如果你新建用戶的密碼不符合密碼復雜度，就會出現BAD PASSWORD: it is based on a dictionary word提示。

[root@DB-Server ~]# passwd ttt

Changing password for user ttt.

New UNIX password: 

BAD PASSWORD: it is based on a dictionary word

轉自

Linux賬戶密碼過期安全策略設置 - 瀟湘隱者 - 博客園
http://www.cnblogs.com/kerrycode/p/5600525.html