02. 패스워드 복합성 설정(및 정책)

[root@centos7 mhpark]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes

# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

 

 

[root@centos7 mhpark]# cat /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 9
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

minlen = 8
minclass = 1
maxrepeat = 0
maxclassrepeat = 0
lcredit  = 0
ucredit  = 0
dcredit  = 0
ocredit  = 0

[root@centos7 mhpark]#

 

-----------------------------------------------------------------

PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

[root@centos7 mhpark]# cat /etc/login.defs

PASS_MAX_DAYS 99999: 패스워드 최대 사용기간 99999일, 영원히 사용하겠다는 이야기임

PASS_MIN_DAYS 0: 아무때고 바꿀수 있다는 의미

PASS_MIN_LEN 5: 패스워드 최소 길이 5자

PASS_WARN_AGE 7: 패스워드 변경 경고 보내는 일수 7일, 패스워드 만료 일주일 전부터 메세지표시

[root@centos7 mhpark]# cat /etc/security/pwquality.conf

 

minlen: 패스워드 최소 길이를 8자로 제한

minclass: 정확한 뜻을 모르겠음

maxrepeat: 연속되 문자 허용 길이

maxclassrepeat: 이것도 정확한 뜻을 모르겠음

lcredit=-1: 소문자 적어도 한개 포함

ucredit=-1: 대문자 적어도 한개 포함

dcredit=-1: 숫자 적어도 한개 포함

ocredit=-1: 특수문자 적어도 한개 포함

 

-----------------------------------------------------------------------------

참고사항

[root@centos7 mhpark]# authconfig --passminlen=12 --update

 

실행하면 [root@centos7 mhpark]# cat /etc/security/pwquality.conf
minlen = 12 > 값이 바뀐다.
minclass = 1
maxrepeat = 0
maxclassrepeat = 0
lcredit  = 0
ucredit  = 0
dcredit  = 0
ocredit  = 0

 

 

 

-----------------------------------------------------------------------------

설정해줘야 하는 것들

 

[root@centos7 mhpark]# vi /etc/login.defs

PASS_MAX_DAYS   90 : 3달 사용하겠음
PASS_MIN_DAYS   1 : 적어도 하루는 사용해야 바꿀수 있음
PASS_MIN_LEN    12 : 내 패스워드는 소중하니까 12자리 이상으로
PASS_WARN_AGE   7 : 일주일 전에는 알려줘야 바꾸겠지

 

[root@centos7 mhpark]# vi /etc/security/pwquality.conf

minlen = 12 : login.defs랑 같이 맞춰줌.. 차이가 먼지를 모르겠음
minclass = 1 : 모르니 디폴트
maxrepeat = 2 : 연속된 문자 허용길이.. 일단 서버대수를 생각해서 2개로
maxclassrepeat = 0 : 모르니 디폴트 
lcredit  = -1 : 최소 소문자 1개
ucredit  = -1 : 최소 대문자 1개
dcredit  = -1 : 최수 숫자 1개
ocredit  = -1 : 최수 특수문자 1개