Account Passwords

Shielding System Accounts

Description

Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded.

Implementation

Modify the shell of a system account to /sbin/nologin.

usermod -L -s /sbin/nologin $systemaccount

NOTE:
$systemaccount indicates the system account.

Restricting Permissions on the su Command

Description

The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

Implementation

Modify the /etc/pam.d/su file as follows:

auth         required      pam_wheel.so use_uid

  

Table 1 Configuration item in pam_wheel.so

Item

Description

use_uid

UID of the current account.

Setting Password Complexity

Description

You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements.

Implementation

The password complexity is implemented by the pam_pwquality.so and pam_pwhistory.so modules in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. You can modify the configuration items of the two modules to change the password complexity requirements.

Example

This section provides an example for configuring password complexity.

Password Complexity Requirements

  1. Contains at least eight characters.

  2. Contains at least three types of the following characters:

    • At least one lowercase letter

    • At least one uppercase letter

    • At least one digit

    • At least one space or one of the following special characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?

  3. Cannot be the same as an account or the account in reverse order.

  4. Cannot be the last five passwords used.

Implementation

Add the following content to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

password    requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 
password    required      pam_pwhistory.so use_authtok remember=5 enforce_for_root

  

Configuration Item Description

For details about the configuration items of pam_pwquality.so and pam_pwhistory.so, see Table 1 and Table 2, respectively.

Table 1 Configuration items in pam_pwquality.so

Item

Description

minlen=8

A password must contain at least eight characters.

minclass=3

A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.

ucredit=0

A password contains any number of uppercase letters.

lcredit=0

A password contains any number of lowercase letters.

dcredit=0

A password contains any number of digits.

ocredit=0

A password contains any number of special characters.

retry=3

Each time a maximum of three password changes is allowed.

enforce_for_root

This configuration is also effective for user root.

Table 2 Configuration items in pam_pwhistory.so

Item

Description

remember=5

A password must be different from the last five passwords used.

enforce_for_root

This configuration is also effective for user root.

Setting the Password Validity Period

Description

To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire.

Implementation

The password validity period is set by modifying the /etc/login.defs file. Table 1 describes the hardening items. All hardening items in the table are in the /etc/login.defs file. You can directly modify the items in the configuration file.

Table 1 Configuration items in login.defs

Item

Description

Suggestion

Configured as Suggested

PASS_MAX_DAYS

Maximum validity period of a password.

90

No

PASS_MIN_DAYS

Minimum interval between password changes.

0

No

PASS_WARN_AGE

Number of days before the password expires.

7

No

NOTE:
The login.defs file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user root. If the /etc/shadow file contains the same items, the /etc/shadow configuration takes precedence over the /etc/login.defs configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

Setting Password Encryption Algorithms

Description

For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security.

Implementation

To set the password encryption algorithm, add the following configuration to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

  

Table 1 Configuration items in pam_unix.so

Item

Description

sha512

The SHA-512 algorithm is used for password encryption.

Locking an Account After Three Login Failures

Description

To ensure user system security, you are advised to set the maximum number of incorrect password attempts (three attempts are recommended) and the automatic unlocking time (300 seconds are recommended) for a locked account.

If an account is locked, any input is invalid but does not cause the locking timer to recount. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security.

NOTE:
By default, the maximum number of incorrect password attempts is 3 in openEuler. After the system is locked, the automatic unlock time is 60 seconds.

Implementation

The password complexity is set by modifying the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. The maximum number of incorrect password attempts is set to 3, and the unlocking time after the system is locked is set to 300 seconds. The configuration is as follows:

auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300

Table 1 Configuration items in pam_faillock.so

Item

Description

authfail

Captures account login failure events.

deny=3

A user account will be locked after three login attempts.

unlock_time=300

A locked common user account is automatically unlocked in 300 seconds.

even_deny_root

This configuration is also effective for user root.

Hardening the su Command

Description

To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the su command to switch to another user, this item has been configured by default in openEuler. The PATH variable is always initialized when the su command is used to switch users.

Implementation

Modify the /etc/login.defs file. The configuration is as follows:

ALWAYS_SET_PATH=yes

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。