Linux 密码策略配置

Linux 密码策略配置

环境 Centos 7.9

#!/bin/bash

#密码过期时间(天)
outDay=90
#禁止使用最近的五个旧密码
remember=5

#至少包含一个大写字母
ucredit=-1 
#至少包含两个小写字母
lcredit=-2 
#至少包含一个数字
dcredit=-1 
#至少包含一个标点符号
ocredit=-1



#禁止使用旧密码
comm=$(cat /etc/pam.d/system-auth |grep "password    sufficient    pamunix.so" |wc -l)
if [ $comm -gt 0 ]
then
	sed -i s/^'password    sufficient    pamunix.so'.*$/'password sufficient pamunix.so sha512 shadow nullok tryfirstpass useauthtok remember='$remember/g /etc/pam.d/system-auth
else
	echo "password    sufficient    pamunix.so sha512 shadow nullok tryfirstpass useauthtok remember=$remember" >> /etc/pam.d/system-auth
fi

#设置密码复杂度、最短密码长度
comm=$(cat /etc/pam.d/system-auth |grep "password    requisite     pam_cracklib.so" |wc -l)
if [ $comm -gt 0 ]
then
	sed -i s/^'password    requisite     pam_cracklib.so'.*$/'password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit='$ucredit' lcredit='$lcredit' dcredit='$dcredit' ocredit='$ocredit''/g /etc/pam.d/system-auth
else
	echo "password    requisite     pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=$ucredit lcredit=$lcredit dcredit=$dcredit ocredit=$ocredit" >> /etc/pam.d/system-auth
fi

#设置密码过期时间
comm=$(cat /etc/login.defs |grep "PASS_MAX_DAYS" |wc -l)
if [ $comm -gt 0 ]
then
	sed -i s/^'PASS_MAX_DAYS'.*$/'PASS_MAX_DAYS '$outDay''/g /etc/login.defs
else
	echo "PASS_MAX_DAYS" >> /etc/login.defs
fi