设置密码复杂度

http://www.linux-pam.org/Linux-PAM-html/sag-pam_cracklib.html

安装libpam-cracklib

apt-get install libpam-cracklib

修改文件 /etc/pam/common-password 中的配置，修改完保存即生效。

如果有加enforce_for_root​ ，则对root 有效。

默认对root无效。 当root 为操作修改的用户时，虽然会提示，但是仍能修改成功。

vi common-password

password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 ocredit=-1 enforce_for_root​

以上例子为：可重试三次，密码最少8个字符，与旧密码至少3个字符不同，至少一个数字，至少一个符号，对root操作也有效。

http://www.linux-pam.org/Linux-PAM-html/sag-pam_cracklib.html

-----------------

difok=N

This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.

minlen=N

The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.

dcredit=N

(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10.

(N < 0) This is the minimum number of digits that must be met for a new password.

ucredit=N

(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10.

(N < 0) This is the minimum number of upper case letters that must be met for a new password.

lcredit=N

(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10.

(N < 0) This is the minimum number of lower case letters that must be met for a new password.

ocredit=N

(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10.

(N < 0) This is the minimum number of other characters that must be met for a new password.

minclass=N

The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the credit check is that a specific class if of characters is not required. Instead N out of four of the classes are required.

enforce_for_root

The module will return error on failed check also if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note that root is not asked for an old password so the checks that compare the old and new password are not performed.

如果改 root 自己的密码，root 不被要求输入旧密码所以不检查与旧密码的区别，所以原来的规则里至少有三个字符不同这一条，对root改自己的密码来说无效。