Debian 10 Buster Aministration Tutorials with examples
https://www.server-world.info/en/note?os=Debian_10&p=download&f=1
Debian 10 Buster
Tiene muchos temas, por ejemplo las Reglas para Setear los Passwords, entre muchas cosas:
Set Password Rules 2019/08/26 |
Set Password Rules for security reasons. | |
| [1] | Install password quality checking library. |
| root@dlp:~# apt -y install libpam-pwquality |
| [2] | Set number of days for password Expiration. Users must change their password within the days. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -M (days) (user)]. |
root@dlp:~# vi /etc/login.defs # line 160: set 60 for Password Expiration PASS_MAX_DAYS 60 |
| [3] | Set minimum number of days available of password. Users must use their password at least this days after changing it. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -m (days) (user)]. |
root@dlp:~# vi /etc/login.defs # line 161: set 2 for Minimum number of days available PASS_MIN_DAYS 1 |
| [4] | Set number of days for warnings before expiration. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -W (days) (user)]. |
root@dlp:~# vi /etc/login.defs # line 162: set 7 for number of days for warnings PASS_WARN_AGE 7 |
| [5] | Limit using a password that was used in past. Users can not set the same password within the generation. |
root@dlp:~# vi /etc/pam.d/common-password # line 26: prohibit to use the same password for 5 generation in past password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
|
| [6] | Set minimum password length. Users can not set thier password length less than this parameter. |
root@dlp:~# vi /etc/security/pwquality.conf # line 11: uncomment and set minimum password length minlen = 8 |
| [7] | Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others) |
root@dlp:~# vi /etc/security/pwquality.conf # line 34: uncomment and set minimum number of required classes of characters minclass = 3 |
| [8] | Set maximum number of allowed consecutive same characters in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 38: uncomment and set maximum number of allowed consecutive same characters maxrepeat = 2 |
| [9] | Set maximum number of allowed consecutive characters of the same class in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 43: uncomment and set maximum number of allowed consecutive characters of the same class maxclassrepeat = 4 |
| [10] | Require at least one lowercase character in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 25: uncomment and set minimum lowercase character lcredit = -1 |
| [11] | Require at least one uppercase character in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 20: uncomment and set minimum uppercase character ucredit = -1 |
| [12] | Require at least one digit in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 15: uncomment and set minimum digit character dcredit = -1 |
| [13] | Require at least one other character in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 30: uncomment and set minimum other special character ocredit = -1 |
| [14] | Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb') |
root@dlp:~# vi /etc/security/pwquality.conf # add to the end maxsequence = 3 |
| [15] | Set number of characters in the new password that must not be present in the old password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 6: uncomment and set number of characters difok = 5 |
| [16] | Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. |
root@dlp:~# vi /etc/security/pwquality.conf # line 47: uncomment and enable it gecoscheck = 1 |
| [17] | Set Ssace separated list of words that must not be contained in the password. |
root@dlp:~# vi /etc/security/pwquality.conf # add to the end badwords = denywords1 denywords2 denywords3 |
| [18] | Set hash/crypt algorithm for new passwords. (default is sha512) |
root@dlp:~# vi /etc/pam.d/common-password # line 26: hnage algorithm to sha512 password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 |
No hay comentarios:
Publicar un comentario