linux密码策略设置和服务设置.docx

linux密码策略设置和服务设置Linux密码复杂度配置方案 密码复杂度配置目标是保证密码由数字,大写字母,小写字母,符号各至少1位组成, 长度不短于8, 历史记忆密码8个. 由于Suse 9, Suse10, Suse11关于密码验证的系统实现方式略有差别, 本文将针对不同系统版本给出相应配置方法. 1. 对于Suse9 将/etc/pam.d/passwd更改为以下: #%PAM-1.0 auth required pam_unix2.so nullok account required pam_unix2.so password required pam_pwcheck.so password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8 use_authtok password required pam_pwcheck.so nullok remember=8 use_authtok password required pam_unix2.so use_authtok nullok session required pam_unix2.so 2. 对于Suse10 /etc/pam.d/common-password更改为以下: # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix2 in combination # with pam_pwcheck. # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # To enable Blowfish or MD5 passwords, you should edit # /etc/default/passwd. # # Alternate strength checking for passwords should be configured # in /etc/security/pam_pwcheck.conf. # # pam_make can be used to rebuild NIS maps after password change. # password required password required lcredit=-1 minlen=8 use_authtok password required password required pam_pwcheck.so pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 pam_pwcheck.so nullok remember=8 use_authtok pam_unix2.so use_authtok nullok 注意: 设置完以上密码策略后, 以后不可以用yast工具更改历史密码个数, 否则下次更改密码时, 会一直提示重新输入新密码, 最终无法重置密码. 经确认此为Suse10系统bug. 3. 对于Suse11 (I) 新建/etc/pam.d/common-password-complexity,内容如下: password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8 (II) 将/etc/pam.d/common-password更改为 password requisite pam_pwcheck.so use_authtok nullok cracklib remember=8 password required pam_unix2.so use_authtok nullok (III) 将/etc/pam.d/passwd更改为 #%PAM-1.0 auth include common-auth account include common-account password include common-password-complexity password include common-password session include common-session 注意: 设置完以上密码策略后, 最好也不要用yast工具来更改历史密码个数, 此操作会将/etc/pam.d/common-password文件重置为, password requisite pam_pwcheck.so nullok cracklib remember=8 password required pam_unix2.so use_authtok nullok 系统会将common-password-complexity和common-password当成两个独立的密码验证模块, 以后重置密码, 若输入的新密码不符合复杂度要求, 会再次提示用户输入新密码, 最终报错. 但是对生产无影响, 用户可重试更改密码, 若输入正确密码, 即可修改成功. 关掉系统不必要服务 根据linux系统Runbook, 需要关闭不必要开机自动启动服务, 方法如下: 关掉系统不必要的服务, 执行以下命令: chkconfig alsasound off chkconfig fbset off chkconfig postfix off chkconfig splash off chkconfig splash_early off chkconfig SuSEfirewall2 off 如果以上服务已经设置为开机不启动，重复执行以上命令不会改变设置。 保证系统必须的服务开启, 执行以下命令: chkconfig cron on chkconfig network on chkconfig syslog on chkconfig xinetd on chkconfig sshd on chkconfig ntp on chkconfig raw on 同样，以上命令可以重复执行，即如果sshd服务已经设置为开机自动启动，执行chkconfig sshd on命令后对sshd开机启动配置没有影响。 而对于vsftpd，首先执行rmp qa|grep vsftp, 若无返回结果，则系统未安装ftp服务；若有返回结果，则系统安装了ftp服务，需确定项目是否需要该服务,若不需要,执行chkconfig vsftpd off。