1、修改/etc/login.defs文件
PASS_MAX_DAYS 90 #密码最长过期天数
PASS_MIN_DAYS 0 #密码最小更换天数
PASS_MIN_LEN 10 #密码最小长度
PASS_WARN_AGE 7 #密码过期前提示天数
参考:https://eternalcenter.com/password-policy-centos8rhel8/
2、修改 /etc/pam.d/ 中的 system-auth、password-auth 文件
# Generated by authselect on Wed Feb 12 10:38:46 2020 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 # 密码输入错误次数限制,并限制重试时间 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass # 密码输入错误次数限制,并限制重试时间 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so # 密码输入错误次数限制 account required pam_faillock.so # 设置密码复杂度 password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=3 enforce_for_root # 记住5次历史密码,不能重复 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
PAM模块详细学习:https://www.cnblogs.com/kevingrace/p/8671964.html