전체 적용 : /etc/login.def 파일 편집
참고 사이트 1 : http://tong.nate.com/mahyun/36502095
ex)
usermod -e YYYY-MM-DD ID
cat /etc/shadow 에 보시면 8번째 항목이 expire date 이다.
추가 옵션 :
-n 패스워드 변경까지의 최단 날짜의 설정
-x 현재 패스워드의 유효기간을 지정한다.
-w 패스워드 만료 전 경고 날짜를 지정한다.
-i
패스워드 만료된 뒤에 사용자 계정사용이 불가능하게 하기
까지의 기간을 설정한다.
2. 계정 잠금 설정하기 ( faillog )
참고 사이트 1 : http://blog.naver.com/sulla_now?Redirect=Log&logNo=140027805370
참고 사이트 2 : http://wiki.kldp.org/wiki.php/DocbookSgml/PAM_admin-TRANS
위의 내용을 보면 /etc/pam.d/system-auth 에 아래의 2 라인을 추가 한다.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so onerr=fail
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
추가가 완료되면
pam_tally2 명령을 이용하여 현재 실패한 횟수를 체크하고
/var/log/secure 에 pam_tally2(sshd:auth): user yjj1 (6005) tally 4, deny 3
위와 같은 secure 로그를 뿌려준다.
lock 걸려있는 사용자의 해제 방법은 pam_tally2 --user id -r 이며,
자세한 내용은 위의 참고 사이트에서 확인 하시기 바랍니다.
추가적으로 pam_cracklib 모듈을 이용하여 패스워드의 정규 표현식도 구현이 가능하다
ex)
password required /lib/security/$ISA/pam_cracklib.so retry=3
minlen=8 ocredit=-1 dcredit=-1
retry=N
Prompt user at most N times before returning with error. The default is 1
minlen=N
The minimum acceptable size for the new password (plus one if credits are
not disabled which is the default). In addition to the number of characters
in the new password, credit (of +1 in length) is given for each different
kind of character (other, upper, lower and digit). The default for this
parameter is 9 which is good for a old style UNIX password all of the same
type of character but may be too low to exploit the added security of a md5
system. Note that there is a pair of length limits in Cracklib itself, a
"way too short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to allow
passwords as short as 5 characters you should not use this module.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new
password. If you have less than or N other characters, each character will
count +1 towards meeting the current minlen value. The default for ocredit
is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for
a new password.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password.
If you have less than or N digits, each digit will count +1 towards meeting
the current minlen value. The default for dcredit is 1 which is the
recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new
password.
(0) 
(0)Posted by 삐꾸강아쥐
