| |
Linux password aging mechanism is a system used to enforce password expire after a certain length of time. For users, this may bring some trouble, but it ensures that the password be changed regularly, it is a good safety measure. By default, most Linux-packing version does not open the password aging, but the order to open it is very simple.
By editing /etc/login.defs, you can specify a few parameters to set the default password setting effective:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
When password aging set number of days 99999, in fact, equivalent to close the password aging. A more sensible set is generally 60 days - forced to change their passwords every two months.
PASS_MIN_DAYS parameter is set in the password change after this, the next time allows for a minimum number of days before changing the password needed. PASS_WARN_AGE setting specifies the number of days before password expiration began to notify the user to change the password (usually the user login system will receive just a warning notice).
You will also edit the / etc / default / useradd file, look for INACTIVE and EXPIRE two key words:
INACTIVE = 14
EXPIRE =
This will indicate how long a time, if the password does not change, it will fail to account for changes in the state after the password expiration. In this case, the time is 14 days. The EXPIRE setting is used for all new users to set a password expiration clear time (specifically the format of "year - month - date").
Obviously, after these settings changes, can only affect the newly created user. To modify the current existing user specific settings, you need to use the chage tool.
# Chage -M 60 joe
This command will set the user joe PASS_MAX_DAYS 60, and modify the corresponding shadow file.
You can use the chage -l option, lists the current account aging, the use -m options are set PASS_MIN_DAYS, with -W is set PASS_WARN_AGE, and so on. chage tool allows you to modify a particular account of all password aging state.
Note that, chage apply only to the local system account, if you are using a similar authentication system such as LDAP, the tool will fail. If you are using LDAP for authentication, and you intend to use the chage, then, even just trying to list the timeliness of information the user password, you will find chage simply does not work.
Develop a strategy to define how long a password must be changed, then the enforcement of the policy is a very good practice. After the dismissal of an employee, password aging policy will ensure that the employee can not be fired in three months and found his password is still available. Even if the system administrator to delete his account ignores the account due to password aging policy will be automatically locked. Of course, this is no reason for not promptly remove the employee's account, but this strategy does provide an extra layer of security, especially in the past often ignored the account cleared up the case. |
|
|
|