1、修改/etc/login.defs文件
PASS_MAX_DAYS 90 #密碼最長過期天數
PASS_MIN_DAYS 0 #密碼最小更換天數
PASS_MIN_LEN 10 #密碼最小長度
PASS_WARN_AGE 7 #密碼過期前提示天數
參考:https://eternalcenter.com/password-policy-centos8rhel8/
2、修改 /etc/pam.d/ 中的 system-auth、password-auth 文件
# Generated by authselect on Wed Feb 12 10:38:46 2020 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 # 密碼輸入錯誤次數限制,並限制重試時間 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass # 密碼輸入錯誤次數限制,並限制重試時間 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so # 密碼輸入錯誤次數限制 account required pam_faillock.so # 設置密碼復雜度 password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=3 enforce_for_root # 記住5次歷史密碼,不能重復 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
PAM模塊詳細學習:https://www.cnblogs.com/kevingrace/p/8671964.html