Long-Term Supported Versions

    Account Passwords

    Shielding System Accounts


    Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded.


    Modify the shell of a system account to /sbin/nologin.

    usermod -L -s /sbin/nologin $systemaccount

    NOTE: $systemaccount indicates the system account.

    Restricting Account Permissions on the su Command


    The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.


    Modify the /etc/pam.d/su file as follows:

    auth         required      pam_wheel.so use_uid

    Table 1 Configuration item in pam_wheel.so




    UID of the current account.

    Setting Password Complexity


    You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements.


    The password complexity is implemented by the pam_pwquality.so and pam_pwhistory.so modules in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. You can modify the configuration items of the two modules to change the password complexity requirements.


    This section provides an example for configuring password complexity.

    Password Complexity Requirements

    1. Contains at least eight characters.

    2. Contains at least three types of the following characters:

      • At least one lowercase letter

      • At least one uppercase letter

      • At least one digit

      • At least one space or one of the following special characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?

    3. Cannot be the same as an account name or the account name in reverse order.

    4. Cannot be the last five passwords used.


    Add the following content to the first two lines of the password configuration item in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

    password    requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 
    password    required      pam_pwhistory.so use_authtok remember=5 enforce_for_root

    Configuration Item Description

    For details about the configuration items of pam_pwquality.so and pam_pwhistory.so, see Table 2 and Table 3, respectively.

    Table 2 Configuration items in pam_pwquality.so




    A password must contain at least eight characters.


    A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.


    A password contains any number of uppercase letters.


    A password contains any number of lowercase letters.


    A password contains any number of digits.


    A password contains any number of special characters.


    Each time a maximum of three password changes is allowed.


    This configuration is also effective for user root.

    Table 3 Configuration items in pam_pwhistory.so




    A password must be different from the last five passwords used.


    This configuration is also effective for user root.

    Setting the Password Validity Period


    To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire.


    The password validity period is set by modifying the /etc/login.defs file. Table 4 describes the hardening items. All hardening items in the table are in the /etc/login.defs file. You can directly modify the items in the configuration file.

    Table 4 Configuration items in login.defs




    Configured as Suggested


    Maximum validity period of a password.




    Minimum interval between password changes.




    Number of days before the password expires.



    NOTE: The login.defs file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user root. If the /etc/shadow file contains the same items, the /etc/shadow configuration takes precedence over the /etc/login.defs configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

    Setting Password Encryption Algorithms


    For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security.


    To set the password encryption algorithm, add the following configuration to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

    password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

    Table 5 Configuration items in pam_unix.so




    The SHA-512 algorithm is used for password encryption.

    Locking an Account After Three Login Failures


    To ensure user system security, you are advised to set the maximum number of failed login attempts (three attempts are recommended) and the automatic unlocking time (300 seconds are recommended) for a locked account.

    If an account is locked, any input is invalid but does not reset the locking countdown timer. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security.

    NOTE: By default, the maximum number of failed login attempts is 3 in openEuler. After an account is locked, the automatic unlock time is 60 seconds.


    The password complexity is set by modifying the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. The maximum number of failed login attempts is set to 3, and the unlocking time after an account is locked is set to 300 seconds. The configuration is as follows:

    auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
    auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
    auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300

    Table 6 Configuration items in pam_faillock.so




    Captures account login failure events.


    A user account will be locked after three failed login attempts.


    A locked common user account is automatically unlocked after 300 seconds.


    This configuration is also effective for user root.

    Hardening the su Command


    To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the su command to switch to another user, this item has been configured by default in openEuler. The PATH variable is always initialized when the su command is used to switch users.


    Modify the /etc/login.defs file. The configuration is as follows:


    Bug Catching

    Buggy Content

    Bug Description

    Submit As Issue

    It's a little complicated....

    I'd like to ask someone.


    Just a small problem.

    I can fix it online!

    Bug Type
    Specifications and Common Mistakes

    ● Misspellings or punctuation mistakes;

    ● Incorrect links, empty cells, or wrong formats;

    ● Chinese characters in English context;

    ● Minor inconsistencies between the UI and descriptions;

    ● Low writing fluency that does not affect understanding;

    ● Incorrect version numbers, including software package names and version numbers on the UI.


    ● Incorrect or missing key steps;

    ● Missing prerequisites or precautions;

    ● Ambiguous figures, tables, or texts;

    ● Unclear logic, such as missing classifications, items, and steps.


    ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

    ● Incorrect schematic or architecture diagrams;

    ● Incorrect commands or command parameters;

    ● Incorrect code;

    ● Commands inconsistent with the functions;

    ● Wrong screenshots.

    Risk Warnings

    ● Lack of risk warnings for operations that may damage the system or important data.

    Content Compliance

    ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

    ● Copyright infringement.

    How satisfied are you with this document

    Not satisfied at all
    Very satisfied
    Click to create an issue. An issue template will be automatically generated based on your feedback.
    Bug Catching
    编组 3备份