# 如何強制使用者下次登入更換密碼及設定密碼複雜度 (Ubuntu / CentOS) ###### tags: `pam_pwquality.so`, `minlen`, `ucredit`, `maxrepeat`, `lcredit`, `dcredit`, `centos` # 說明 在 linux 設定Password Policies 有兩個方法，一個是設定密碼複雜度，一個是設定更換密碼天數 密碼復雜度 : 設定密碼規則，像是大寫、小寫、數字、最小長度跟特珠字元等 更換密碼天數: 設定幾天後強制使用者換密碼，像是天數、幾天前提醒等 ## 設定密碼複雜度 Password policies exist to ensure that a strong password is set for users and as a Linux user, you should be mindful to enforce these policies to make it difficult for breaches to occur. 一個很強的密碼需要包含大寫、小寫、數字跟特殊字元，長度最小12~15的字元 ### Ubuntu (16.04, 18.04, 20.04) 在 ubnutu 要先安裝 libpam-pwquality 如下: ``` # sudo apt install libpam-pwquality ``` 安裝完後，編輯 /etc/pam.d/common-password 來設定密碼複雜度 ``` # vim /etc/pam.d/common-password # here are the per-package modules (the "Primary" block) password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_root password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) password optional pam_gnome_keyring.so # end of pam-auth-update config ``` 跳到 "password requisite pam_pwquality.so" 這行 改變 "password requisite pam_pwquality.so retry=3" 成 "password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_root" ### CentOS (7.8) CentOS無需安裝任何軟體，直接編輯 /etc/pam.d/system-auth 來設定密碼複雜度 ``` # vim /etc/pam.d/system-auth ``` 跳到以下這行 password requisite pam_pwquality.so 把以下參數加到這行後面 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root 可以看到顯示如下 ``` # cat /etc/pam.d/system-auth | grep password | grep requisite password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root ``` 每個參數的意義如下: * retry=3: This option will prompt the user 3 times before exiting and returning an error. * minlen=12: This specifies that the password cannot be less than 12 characters. * maxrepeat=3: This allows implies that only a maximum of 3 repeated characters can be included in the password. * ucredit=-1: The option requires at least one uppercase character in the password. * lcredit=-1: The option requires at least one lowercase character in the password. * dcredit=-1: This implies that the password should have at last a numeric character. * ocredit=-1: The option requires at least one special character included in the password. * difok=3: This implies that only a maximum of 3 character changes in the new password should be present in the old password. * reject_username: The option rejects a password if it consists of the username either in its normal way or in reverse. * enforce_for_root: This ensures that the password policies are adhered to even if it’s the root user configuring the passwords. 修改完後, 接著使用 adduser 新增使用者測試一下: ``` # adduser andy ``` 接著設定使用者的密碼: ``` # passwd andy Changing password for user andy. New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 uppercase letters New password: BAD PASSWORD: The password contains less than 1 non-alphanumeric characters passwd: Have exhausted maximum number of retries for service ``` 嘗試三次都不符合 /etc/pam.d/system-auth 裡的複雜度設定, 所以需重新下 passwd 指令: ``` # passwd andy Changing password for user andy. New password: BAD PASSWORD: The password contains less than 1 non-alphanumeric characters New password: BAD PASSWORD: The password is shorter than 12 characters New password: Retype new password: passwd: all authentication tokens updated successfully. ``` 密碼設定完成後, 使用新的使用者帳號登入 ``` $ ssh andy@172.24.248.3 ``` ## 設定更換密碼天數 ### 對於新建user 對新建的user設定更換密碼天數需編輯/etc/login.defs，並加以下參數: PASS_MAX_DAYS Maximum number of days a password may be used. PASS_MIN_DAYS Minimum number of days allowed between password changes. PASS_MIN_LEN Minimum acceptable password length. PASS_WARN_AGE Number of days warning given before a password expires. ``` # vim /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_DAYS 10 PASS_MIN_LEN 8 PASS_WARN_AGE 7 ``` 注意: 再次提醒，這裡設定只會套用在之後新建的帳號。若要修改現有使用者, 需另外使用 chage 指令。 測試一下，若時間的變動超過 PASS_MAX_DAYS, 則登入時會要求使用者更新密碼, 且這時候設定的新密碼須符合 /etc/pam.d/system-auth 裡設定的複雜度限制 ``` $ ssh andy@172.24.248.3 andy@172.24.248.3's password: You are required to change your password immediately (password aged) Last login: Fri Dec 18 09:08:50 2020 from 172.24.248.1 This system is built by the Bento project by Chef Software More information can be found at https://github.com/chef/bento WARNING: Your password has expired. You must change your password now and login again! Changing password for user andy. Changing password for andy. (current) UNIX password: New password: BAD PASSWORD: The password is too similar to the old one New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to 172.24.248.3 closed. ``` ### 對於已存在 user 對於已建立的user需使用chage 指令來做passwd 天數設定 ``` Set the PASS_MAX_DAYS parameter to 90 # sudo chage --maxdays 90 <user> Set the PASS_MIN_DAYS parameter # sudo chage --mindays 10 <user> Set the PASS_WARN_AGE parameter # sudo chage --warndays 8 <user> ``` 例如用 chage 指令修改現有使用者的 maxdays: ``` # chage --maxdays 1 ``` 調整系統時間來做測試 ``` # date -s "tomorrow" ``` 重新login會要求使用者更新密碼, 且這時候設定的新密碼須符合 /etc/pam.d/system-auth 裡設定的複雜度限制 ``` $ ssh vagrant@172.24.248.3 vagrant@172.24.248.3's password: You are required to change your password immediately (password aged) Last login: Tue Dec 22 10:31:29 2020 from 172.24.248.1 This system is built by the Bento project by Chef Software More information can be found at https://github.com/chef/bento WARNING: Your password has expired. You must change your password now and login again! Changing password for user vagrant. Changing password for vagrant. (current) UNIX password: New password: BAD PASSWORD: The password is too similar to the old one New password: BAD PASSWORD: The password contains less than 1 uppercase letters New password: BAD PASSWORD: The password contains less than 1 non-alphanumeric characters ``` 補充: The options which apply to the chage command are: -d, --lastday LAST_DAY Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). -E, --expiredate EXPIRE_DATE Set the date or number of days since January 1, 1970 on which the user's account will no longer be accessible. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). A user whose account is locked must contact the system administrator before being able to use the system again. Passing the number -1 as the EXPIRE_DATE will remove an account expiration date. -I, --inactive INACTIVE Set the number of days of inactivity after a password has expired before the account is locked. The INACTIVE option is the number of days of inactivity. A user whose account is locked must contact the system administrator before being able to use the system again. Passing the number -1 as the INACTIVE will remove an account's inactivity. -l, --list Show account aging information. -m, --mindays MIN_DAYS Set the minimum number of days between password changes to MIN_DAYS. A value of zero for this field indicates that the user may change his/her password at any time. -M, --maxdays MAX_DAYS Set the maximum number of days during which a password is valid. When MAX_DAYS plus LAST_DAY is less than the current day, the user will be required to change his/her password before being able to use his/her account. This occurrence can be planned for in advance by use of the -W option, which provides the user with advance warning. Passing the number -1 as MAX_DAYS will remove checking a password's validity. -W, --warndays WARN_DAYS Set the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire. # 參考文件 https://www.thegeekdiary.com/unix-linux-how-to-force-user-to-change-their-password-on-next-login-after-password-has-reset/ https://www.linuxsysadmin.biz/linux-password-policy-etc-login-defs-no-change-for-existing-users/ https://www.linuxtechi.com/enforce-password-policies-linux-ubuntu-centos/