Differences between revisions 13 and 28 (spanning 15 versions)
Revision 13 as of 2022-11-16 09:55:15
Size: 1546
Editor: localhost
Comment:
Revision 28 as of 2022-11-17 09:32:05
Size: 1861
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Describe désert/workarea/2022-11-16 here.
Line 3: Line 2:
根据要求修改RHEL/CentOS Linux 6-7中的用户策略
Line 4: Line 4:
= Step 1: 备份etc目录配制 =
tar -zcvf etc_$(date +%F).tar.gz /etc/		 <<TableOfContents()>>
Line 7: Line 6:
= Step 1: 备份etc目录 =
执行修改操作之前, 建议备份/etc相关文件.
Line 8: Line 9:
= Step 2: 修改/etc/pam.d目录中的system-auto文件为指定的参数 = tar -zcf ~/etc_$(date +%F).tar.gz /etc/

= Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数 =
Line 11: Line 14:
sed -i.$(date +%F)-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth
Line 15: Line 19:
password required pam_unix.so use_authtok nullok md5
Line 19: Line 24:
= Step 3: 修改/etc/pam.d目录中的login文件为指定的参数 = = Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数 =
Line 22: Line 27:
Line 36: Line 40:
Line 45: Line 48:
= Step 4: 验证配制结果 = = Step 5: 验证配制结果 =
Line 50: Line 53:
* passwd root ~# passwd root
Line 52: Line 55:
* passwd OTHER-USER ~# passwd OTHER-USERNAME
Line 57: Line 60:

= References =
 * man pam_tally2
 * man pam_pwquality

根据要求修改RHEL/CentOS Linux 6-7中的用户策略

Contents

  1. Step 1: 备份etc目录
  2. Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数
  3. Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数
  4. Step 4: 查看配制文件
  5. Step 5: 验证配制结果
    1. 修改用户密码
    2. 从显示器或远程(KVM/CONSOLE)控制台登录
  6. References

Step 1: 备份etc目录

执行修改操作之前, 建议备份/etc相关文件.

tar -zcf ~/etc_$(date +%F).tar.gz /etc/

Step 2: 增加或修改/etc/pam.d目录中的system-auth文件为指定的参数

sed -i.$(date +%F)-bak '/pam_pwquality/s#password#\#password#g' /etc/pam.d/system-auth

cat >> /etc/pam.d/system-auth <<EOF
### $(date +%F) added ###
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-4 ocredit=-1 enforce_for_root
password  required pam_unix.so use_authtok nullok md5
EOF

Step 3: 增加或修改/etc/pam.d目录中的login文件为指定的参数

cat >> /etc/pam.d/login <<EOF
### $(date +%F) added ###
auth     required       pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300
auth     required       pam_env.so
auth     required       pam_unix.so
auth     required       pam_nologin.so
account  required       pam_unix.so
password required       pam_unix.so
session  required       pam_limits.so
session  required       pam_unix.so
session  required       pam_lastlog.so nowtmp
session  optional       pam_mail.so standard
EOF

Step 4: 查看配制文件

cat /etc/pam.d/system-auth

cat /etc/pam.d/login

Step 5: 验证配制结果

修改用户密码

预期结果: 密码需要满足复杂性要求,否则无法设置或修改用户密码

~# passwd root

~# passwd OTHER-USERNAME

从显示器或远程(KVM/CONSOLE)控制台登录

预期结果: 使用root用户从LOCAL登录,尝试失败超过5次之后root用户锁定, 并在5分钟之后自动恢复为可登录状态.

References

  • man pam_tally2
  • man pam_pwquality

désert/workarea/2022-11-16 (last edited 2022-11-17 09:32:05 by localhost)