步骤一:生成设置密码必须包含大小写字母的策略文件
# authselect list
- nis Enable NIS for system authentication
- sssd Enable SSSD for system authentication (also for local users only)
- winbind Enable winbind for system authentication
- custom/password-policy Enable SSSD for system authentication (also for local users only)(
注意:如果没有 custom/password-policy 文件则进行以下操作:
# authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam
# authselect select custom/password-policy
# authselect current
Profile ID: custom/password-policy
Enabled features: None)
步骤二:配置 /etc/authselect/custom/password-policy/system-auth 文件
# vim /etc/authselect/custom/password-policy/system-auth先删除包含以下内容的行:
......
......pam_faillock.so......
......再将以下内容:
......
password requisite pam_pwquality.so try_first_pass local_users_only
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only retry=5
......
auth required pam_faillock.so preauth
......
auth required pam_faillock.so authfail
......(补充:这里的 retry=5 代表重复尝试 5 次后登陆会被锁住)
步骤三:配置 /etc/authselect/custom/password-policy/system-password 文件
# vim /etc/authselect/custom/password-policy/system-password先删除包含以下内容的行:
......
......pam_faillock.so......
......再将以下内容:
......
password requisite pam_pwquality.so try_first_pass local_users_only
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only retry=5
......
auth required pam_faillock.so preauth
......
auth required pam_faillock.so authfail
......(补充:这里的 retry=5 代表重复尝试 5 次后登陆会被锁住)
步骤四:配置 /etc/security/faillock.conf 文件
将以下内容:
......
# deny = 3
......
# unlock_time = 600
......修改为:
......
deny = 30
......
unlock_time = 600
......(补充:这里的 deny = 30 和 unlock_time = 600 代表拒绝 30 次 600 秒后解锁)