我正在尝试在 Debian 8 上实施密码策略。 /etc/pam.d.common-passowrd 中有以下内容:
password requisite pam_cracklib.so difok=2 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 minclass=3 reject_username
password requisite pam_echo.so blah blah
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so
设置包含三个 5 字符序列的 15 字符密码后,出现以下错误:
root@foo-host:~# ssh foo-user@localhost
Last login: Tue Aug 29 11:26:06 2017 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
blah blah
Changing password for foo-user.
(current) UNIX password:
New password:
BAD PASSWORD: it is too simplistic/systematic
passwd: Authentication token manipulation error
passwd: password unchanged
Connection to localhost closed.
我尝试删除 pam_unix 的“模糊”选项,但发现行为没有差异。
我的pam_cracklib版本如下:
root@foo-host:~# dpkg --list | grep -i crack
ii cracklib-runtime 2.9.2-1 amd64 runtime support for password checker library cracklib2
ii libcrack2:amd64 2.9.2-1 amd64 pro-active password checker library
ii libpam-cracklib:amd64 1.1.8-3.1+deb8u2+b1 amd64 PAM module to enable cracklib support
鉴于我没有为 pam_cracklib 指定 maxsequence,为什么会发生这种情况?