[리눅스]패스워드 정책 설정

0061. [리눅스] 패스워드 정책설정

/etc/pam.d/system-auth
~~~~~~~~~~~~~~~~
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=2 no_magic_root reset

auth required pam_tally.so onerr=fail deny=5 no_magic_root

account required pam_tally.so onerr=fail no_magic_root reset

연속 3회 login 실패 시 계정이 잠김.
자동으로 풀리지 않음. 관리자가 잠금을 풀어줘야한다.
deny: 실패 회수, 3회 실패 적용은 2로 설정.
no_magic_root: root의 암호는 실제 lock은 걸지 않음
reset: 실패 회수 안에서 login하면 기존 실패 횟수를 reset, 실패에 대한 기록을 다시 함.

log 위치 : /var/log/faillog

# 잠금 해제
faillog -u oracle -r

# 확인 명령
pam_tally
faillog

# 초기화
pam_tally --user oracle --reset


script
--------------------------------------------------------------------------------
echo "
auth required /lib/security/pam_tally.so no_magic_root
account required /lib/security/pam_tally.so deny=2 no_magic_root reset
" >> /etc/pam.d/system-auth

RHEL5
~~~~~~~~~~~~~~~~~~

[root@rhel5 ~]# cat /etc/pam.d/system-auth [ 아래 위치가 중요 ]
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# The below line is used to lock an account if user failed to authenticate 5 times and will be locked for 60 secs.
auth required pam_tally.so onerr=fail deny=3 unlock_time=60

auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
# The below line is required for account lockout due to failed login attempt
account required pam_tally.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid