如何设置PAM模块控制Linux密码策略

　　lcredit=N

　　(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count 1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.

　　(N < 0) This is the minimum number of lower case letters that must be met for a new password.

　　ocredit=N

　　(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count 1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.

　　(N < 0) This is the minimum number of other characters that must be met for a new password.

　　use_authtok

　　This argument is used to force the module to not prompt the user for a new password but use the one provided by the previously stacked password module.

　　dictpath=/path/to/dict

　　Path to the cracklib dictionaries.

　　dictpath=/path/to/dict //注：密码字典,这个是验证用户的密码是否是字典一部分的关键.

　　Path to the cracklib dictionaries.

　　cracklib密码强度检测过程

　　检查密码是否是字典的一部分,如果不是,则进行下面的检查

　　密码强度检测过程

　　These checks are:

　　Palindrome

　　Is the new password a palindrome of the old one?

　　新密码是否旧密码的回文

　　Case Change Only

　　Is the new password the the old one with only a change of case?

　　新密码是否只是就密码改变了大小写

　　Similar

　　Is the new password too much like the old one?

　　新密码是否和旧密码很相似

　　This is primarily controlled by one argument, difok which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.

　　To avoid the lockup associated with trying to change a long and complicated password, difignore is available. This argument can be used to specify the minimum length a new password needs to be before the difok value is ignored. The default value for difignore is 23.

　　Simple

　　Is the new password too small?

　　新密码是否太短

　　This is controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. See the section on the arguments for the details of how these work and there defaults.

　　Rotated

　　Is the new password a rotated version of the old password?

　　新密码的字符是否是旧密码字符的一个循环

　　例如旧密码：123

　　新密码：231

　　Already used

　　Was the password used in the past?

　　这个密码以前是否使用过

　　Previously used passwords are to be found in /etc/security/opasswd.

　　那么系统是如何实现这个控制的呢？

　　在系统的配置文件/etc/pam.d/system-auth 中有这样一行

　　password requisite pam_cracklib.so try_first_pass retry=3

　　我们可以根据pam_cracklib的参数这

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务，公司网站：http://www.lingzhong.cn 为了给广大客户了解更多的技术信息，本技术文章收集来源于网络,凌众科技尊重文章作者的版权，如果有涉及你的版权有必要删除你的文章，请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!