반응형
Linux 패스워드 정책
기본 비밀번호 항목 지정
/etc/login.defs
vi /etc/login.defs#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
# pam_unix(8) enforces a 2s delay)
#
#FAIL_DELAY 3
# Currently FAILLOG_ENAB is not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
#
#LOG_UNKFAIL_ENAB no
# Currently LOG_OK_LOGINS is not supported
# Currently LASTLOG_ENAB is not supported
#
# Limit the highest user ID number for which the lastlog entries should
# be updated.
#
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
# lastlog entries.
#
#LASTLOG_UID_MAX
# Currently MAIL_CHECK_ENAB is not supported
# Currently OBSCURE_CHECKS_ENAB is not supported
# Currently PORTTIME_CHECKS_ENAB is not supported
# Currently QUOTAS_ENAB is not supported
# Currently SYSLOG_SU_ENAB is not supported
#
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
#
#SYSLOG_SG_ENAB yes
# Currently CONSOLE is not supported
# Currently SULOG_FILE is not supported
# Currently MOTD_FILE is not supported
# Currently ISSUE_FILE is not supported
# Currently TTYTYPE_FILE is not supported
# Currently FTMP_FILE is not supported
# Currently NOLOGINS_FILE is not supported
# Currently SU_NAME is not supported
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
#HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
# Currently ENV_TZ is not supported
# Currently ENV_HZ is not supported
#
# The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
#ENV_PATH PATH=/bin:/usr/bin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a write(1) program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP as the number of such group
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
# set TTYPERM to either 622 or 600.
#
#TTYGROUP tty
#TTYPERM 0600
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0700
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# Currently PASS_MIN_LEN is not supported
# Currently SU_WHEEL_ONLY is not supported
# Currently CRACKLIB_DICTPATH is not supported
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
#
# Max number of login(1) retries if password is bad
#
#LOGIN_RETRIES 3
#
# Max time in seconds for login(1)
#
#LOGIN_TIMEOUT 60
# Currently PASS_CHANGE_TRIES is not supported
# Currently PASS_ALWAYS_WARN is not supported
# Currently PASS_MAX_LEN is not supported
# Currently CHFN_AUTH is not supported
#
# Which fields may be changed by regular users using chfn(1) - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
#CHFN_RESTRICT rwh
# Currently LOGIN_STRING is not supported
# Currently MD5_CRYPT_ENAB is not supported
#
# If set to MD5, MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to BLOWFISH, BLOWFISH-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
#
ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute-force the password.
# However, more CPU resources will be needed to authenticate users if
# this value is increased.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be within the 1000-999999999 range.
#
#SHA_CRYPT_MAX_ROUNDS 5000
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
# Currently BCRYPT_MIN_ROUNDS and BCRYPT_MAX_ROUNDS are not supported
# Currently CONSOLE_GROUPS is not supported
#
# Should login be allowed if we can't cd to the home directory?
# Default is yes.
#
#DEFAULT_HOME yes
# Currently ENVIRON_FILE is not supported
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# Enables userdel(8) to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
#
# If set to a non-zero number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permits to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP 0
#
# If useradd(8) should create home directories for users by default (non
# system users only).
# This option is overridden with the -M or -m flags on the useradd(8)
# command-line.
#
CREATE_HOME yes
#
# Force use shadow, even if shadow passwd & shadow group files are
# missing.
#
#FORCE_SHADOW yes
#
# Select the HMAC cryptography algorithm.
# Used in pam_timestamp module to calculate the keyed-hash message
# authentication code.
#
# Note: It is recommended to check hmac(3) to see the possible algorithms
# that are available in your system.
#
HMAC_CRYPTO_ALGO SHA512- 해당 파일은 Rocky 9.2 버전의 내용으로 CentOS EOS에 따른 대응 OS
- PASS_MAX_DAYS - 패스워드를 사용할 수 있는 최대 일 수
- PASS_MIN_DAYS - 패스워드를 바꾸는 사이의 최소 일 수
- PASS_MIN_LEN - 패스워드 최소 길이
- PASS_WARN_AGE - 패스워드 만료 전 경고하는 날의 수
패스워드 복잡도 설정
/etc/security/pwquality.conf
vi /etc/security/pwquality.conf# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Whether to check for the words from the cracklib dictionary.
# The check is enabled if the value is not 0.
# dictcheck = 1
#
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
# usercheck = 1
#
# Length of substrings from the username to check for in the password
# The check is enabled if the value is greater than 0 and usercheck is enabled.
# usersubstr = 0
#
# Whether the check is enforced by the PAM module and possibly other
# applications.
# The new password is rejected if it fails the check and the value is not 0.
# enforcing = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
#
# Prompt user at most N times before returning with error. The default is 1.
# retry = 3
#
# Enforces pwquality checks on the root user password.
# Enabled if the option is present.
# enforce_for_root
#
# Skip testing the password quality for users that are not present in the
# /etc/passwd file.
# Enabled if the option is present.
# local_users_only
- 해당 파일 또한 Rocky 9.2 버전의 내용으로, 필요한 항목의 주석(#)을 제거하고 설정하여 사용
- minlen - 패스워드 최소 길이
- minclass - 각기 다른 타입의 조합 수, 0은 설정하지 않음을, 4는 대·소문자, 숫자, 특수문자를 사용함을 의미
- maxrepeat - 동일 문자 사용 최대 허용 문자 수 설정
- maxclassrepeat - 동일 타입 사용 최대 허용 문자 수 설정
- lcredit - 소문자 최소 사용 수 설정
- ucredit - 대문자 최소 사용 수 설정
- dcredit - 숫자 최소 사용 수 설정
- ocredit - 특수문자 최소 사용 수 설정
- difok - 이전에 사용하던 패스워드에서 사용한 문자 허용 금지 수 설정
계정 잠금 임계값 설정
/etc/pam.d/system-auth
더보기
vi /etc/pam.d/system-auth
# Generated by authselect on Tue Nov 7 11:57:39 2023
# Do not modify this file manually.
auth required pam_env.so
auth repuired pam_tally2.so deny=5 unlock_time=60
auth required pam_faildelay.so delay= 2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul ar
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregul ar
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issyste m
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_ users_only
password sufficient pam_unix.so sha512 shad ow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so servi ce in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so- auth required pam_tally2.so deny=5 unlock_time=60 - 5회 로그인 실패 시 60초간 계정 잠김을 의미
- 필요 시 해당 위치에 입력하고 수치 변경하여 사용
Session TImeout 설정
vi /etc/profile# /etc/profile
# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc
# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.
pathmunge () {
case ":${PATH}:" in
*:"$1":*)
;;
*)
if [ "$2" = "after" ] ; then
PATH=$PATH:$1
else
PATH=$1:$PATH
fi
esac
}
if [ -x /usr/bin/id ]; then
if [ -z "$EUID" ]; then
# ksh workaround
EUID=`/usr/bin/id -u`
UID=`/usr/bin/id -ru`
fi
USER="`/usr/bin/id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"
fi
# Path manipulation
if [ "$EUID" = "0" ]; then
pathmunge /usr/sbin
pathmunge /usr/local/sbin
else
pathmunge /usr/local/sbin after
pathmunge /usr/sbin after
fi
HOSTNAME=$(/usr/bin/hostnamectl --transient 2>/dev/null) || \
HOSTNAME=$(/usr/bin/hostname 2>/dev/null) || \
HOSTNAME=$(/usr/bin/uname -n)
HISTSIZE=1000
if [ "$HISTCONTROL" = "ignorespace" ] ; then
export HISTCONTROL=ignoreboth
else
export HISTCONTROL=ignoredups
fi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL
for i in /etc/profile.d/*.sh /etc/profile.d/sh.local ; do
if [ -r "$i" ]; then
if [ "${-#*i}" != "$-" ]; then
. "$i"
else
. "$i" >/dev/null
fi
fi
done
unset i
unset -f pathmunge
if [ -n "${BASH_VERSION-}" ] ; then
if [ -f /etc/bashrc ] ; then
# Bash login shells run only /etc/profile
# Bash non-login shells run only /etc/bashrc
# Check for double sourcing is done in /etc/bashrc.
. /etc/bashrc
fi
fi
TMOUT=600
export TMOUT
반응형
'슬기로운 SE 생활' 카테고리의 다른 글
| [서버] 디스크 Predictive Failure (4) | 2023.12.28 |
|---|---|
| [Linux] Package temperature above threshold, cpu clock throttled (+ 내용 추가) (0) | 2023.12.15 |
| [VirtualBox] Failed to open/create the internal network ‘HostInterfaceNetworking-VirtualBox Host-Only Ethernet Adapter’ (0) | 2023.10.10 |
| [VMware] VMware Workstation 17 Player 다운로드, 설치 (0) | 2023.06.27 |
| 광케이블, 광케이블 모드, 광케이블 종류 (1) | 2023.06.08 |
