密码设置复杂度和期限

以下是通过man pam_cracklib查看获得的解释
一　PAM_CRACKLIB模块可以做的密码策略：
1.回文限制
2.字符数量限制
3.字符类型限制
4.重复字符限制
5.新密码和老密码重复字符数量限制
6.新密码和老密码的相似度记忆
7.记忆最近几次的密码不能和老密码重复

authtok_type=XXX
           The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
           The example word UNIX can be replaced with this option, by default it is empty.
           当输入新密码时的默认提示
           
difok=N
           This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
           这个参数将改变新密码不同于老密码5个字符的默认设置
maxrepeat=N
           Reject passwords which contain more than N same consecutive characters. The default is 0 which means that this check is disabled.
           拒绝包含超过N个连续相同的字符．默认是0，意思是不用检查

maxsequence=N
           Reject passwords which contain monotonic character sequences longer than N. The default is 0 which means that this check is disabled. Examples of such sequence are 12345
           or fedcb. Note that most such passwords will not pass the
           simplicity check unless the sequence is only a minor part of the password.           
           拒绝密码包含大于N的单纯字符序列．默认不检查，注意大多数密码不会通过简单性检查除非这个序列是密码的次要部分
dictpath=/path/to/dict
           Path to the cracklib dictionaries.           

           
二　报错实例           
如果是和以前用过的相同就会报错：
Password has been already used. Choose another.
如果新密码和老密码一样就会提示：
Password unchanged
如果新密码和老密码相似度太高会提示：
is too similar to the old one
如果设置的复杂度不够会提示：
BAD PASSWORD: it is too short
如果是比如密码设置有连续的多个字符就会提示：
BAD PASSWORD: it is too simplistic/systematic
如果设密码超过重复字符限制：

BAD PASSWORD: contains too many same characters consecutively

三　配置实例

password    requisite     /lib64/security/pam_cracklib.so try_first_pass retry=3 difok=3  
authtok_type=you_must_enter_at_least_3_charactors type=  minlen=8  ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 dictpath=/usr/share/cracklib/pw_dict
password    sufficient    /lib64/security/pam_unix.so try_first_pass use_authtok nullok sha512 shadow remember=3

控制标识符解释：
optional The module is required for authentication if it is the only module listed
for a service.
required The module must succeed for access to be granted. PAM continues
to execute the remaining modules in the stack whether the module
succeeds or fails. PAM does not immediately inform the user of the
failure.
requisite The module must succeed for access to be granted. If the module
succeeds, PAM continues to execute the remaining modules in the
stack. However, if the module fails, PAM notifies the user immediately
and does not continue to execute the remaining modules in the stack.
sufficient If the module succeeds, PAM does not process any remaining modules
of the same operation type. If the module fails, PAM processes the
remaining modules of the same operation type to determine overall
success or failure.

四　密码过期

/etc/login.defs 文件，可以设置当前密码的有效期限，如果想单独为每个用户设置不同期限使用chage命令．

五　一般的密码策略

Password must meetthe following complexity requirements:
- Enforce password history: 5 passwords remembered
- Maximum password age: 90 days
- Not contain the user's account name or parts of the user's full name thatexceed two consecutive characters
- Be at least 7 characters in length

- Contain characters from three of the following four categories:
1. English uppercase characters (A through Z)
2. English lowercase characters (a through z)
3. Base 10 digits (0 through 9)
4. Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created