# 1. 检查弱密码账户
# awk -F: ‘$2 ~ /^\$1\$/ {print $1}’ /etc/shadow
（输出使用MD5加密的账户）

# 2. 检查空密码账户
# awk -F: ‘$2 == “” {print $1}’ /etc/shadow
（输出空密码账户）

# 3. 检查密码即将过期账户
# for user in $(awk -F: ‘$3 >= 1000 {print $1}’ /etc/passwd); do
chage -l $user | grep “Password expires”
done

# 4. 检查密码过期账户
# for user in $(awk -F: ‘$3 >= 1000 {print $1}’ /etc/passwd); do
chage -l $user | grep “Account expires”
done

# 5. 强制用户下次登录修改密码
# chage -d 0 username

# 6. 锁定长期未登录账户
# lastlog | grep “**Never logged in**” | awk ‘{print $1}’ | while read user; do
if [ “$user” != “Username” ]; then
usermod -L $user
echo “Locked user: $user”
fi
done

# 7. 检查密码尝试失败记录
# faillock –user root
root:
When Type Service Orig-User
2026-04-02 10:00:00 TTY login root
2026-04-02 10:00:05 TTY login root

# 8. 清除密码尝试失败记录
# faillock –user root –reset

# 9. 检查密码历史
# cat /etc/security/opasswd
fgedu:1000:5:$6$xxx:$6$yyy:$6$zzz:$6$aaa:$6$bbb

# 10. 检查密码加密算法
# authconfig –test | grep hashing
password hashing algorithm is sha512

# 1. 创建密码审计脚本
# cat > /tmp/password_audit.sh << 'EOF' #!/bin/bash REPORT="/tmp/password_audit_report.txt" echo "========================================" > $REPORT
echo “Password Audit Report – $(date)” >> $REPORT
echo “========================================” >> $REPORT
echo “” >> $REPORT

# 1. 统计密码信息
echo “1. Password Statistics” >> $REPORT
echo “———————–” >> $REPORT
total_users=$(awk -F: ‘$3 >= 1000 && $3 != 65534 {print}’ /etc/passwd | wc -l)
empty_passwords=$(awk -F: ‘$2 == “” {print}’ /etc/shadow | wc -l)
locked_accounts=$(awk -F: ‘$2 ~ /^(!|\*)/ {print}’ /etc/shadow | wc -l)
echo “Total users: $total_users” >> $REPORT
echo “Empty passwords: $empty_passwords” >> $REPORT
echo “Locked accounts: $locked_accounts” >> $REPORT
echo “” >> $REPORT

# 2. 检查空密码账户
echo “2. Empty Password Accounts” >> $REPORT
echo “—————————” >> $REPORT
awk -F: ‘$2 == “” {print $1}’ /etc/shadow >> $REPORT
if [ $(awk -F: ‘$2 == “” {print}’ /etc/shadow | wc -l) -eq 0 ]; then
echo “No accounts with empty passwords found” >> $REPORT
fi
echo “” >> $REPORT

# 3. 检查弱加密算法
echo “3. Weak Encryption Algorithm Accounts” >> $REPORT
echo “————————————–” >> $REPORT
awk -F: ‘$2 ~ /^\$1\$/ {print $1, “MD5”}’ /etc/shadow >> $REPORT
awk -F: ‘$2 ~ /^\$5\$/ {print $1, “SHA-256”}’ /etc/shadow >> $REPORT
echo “” >> $REPORT

# 4. 检查密码即将过期账户
echo “4. Password Expiring Soon (within 7 days)” >> $REPORT
echo “——————————————-” >> $REPORT
for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
chage -l $user | grep “Password expires” | grep -v “never” >> $REPORT
done
echo “” >> $REPORT

# 5. 检查账户即将过期
echo “5. Account Expiring Soon (within 30 days)” >> $REPORT
echo “——————————————-” >> $REPORT
for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
chage -l $user | grep “Account expires” | grep -v “never” >> $REPORT
done
echo “” >> $REPORT

# 6. 检查密码过期设置
echo “6. Password Expiration Settings” >> $REPORT
echo “——————————–” >> $REPORT
for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
max_days=$(chage -l $user | grep “Maximum number of days” | awk ‘{print $NF}’)
if [ “$max_days” == “99999” ]; then
echo “$user: Password never expires” >> $REPORT
fi
done
echo “” >> $REPORT

# 7. 检查密码尝试失败
echo “7. Failed Login Attempts” >> $REPORT
echo “————————-” >> $REPORT
for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
attempts=$(faillock –user $user 2>/dev/null | wc -l)
if [ $attempts -gt 0 ]; then
echo “$user: $attempts failed attempts” >> $REPORT
fi
done
echo “” >> $REPORT

# 8. 检查密码历史
echo “8. Password History Check” >> $REPORT
echo “————————–” >> $REPORT
if [ -f /etc/security/opasswd ]; then
awk -F: ‘{print $1, “has”, NF-2, “old passwords”}’ /etc/security/opasswd >> $REPORT
else
echo “Password history not configured” >> $REPORT
fi
echo “” >> $REPORT

echo “Audit completed. Report saved to $REPORT”
EOF

# 2. 执行审计脚本
# chmod +x /tmp/password_audit.sh
# /tmp/password_audit.sh
Audit completed. Report saved to /tmp/password_audit_report.txt

# 3. 查看审计报告
# cat /tmp/password_audit_report.txt
========================================
Password Audit Report – Fri Apr 2 10:00:00 CST 2026
========================================

1. Password Statistics
———————–
Total users: 10
Empty passwords: 0
Locked accounts: 5

2. Empty Password Accounts
—————————
No accounts with empty passwords found

3. Weak Encryption Algorithm Accounts
————————————–
fgedu SHA-256
dev001 SHA-256

4. Password Expiring Soon (within 7 days)
——————————————-

5. Account Expiring Soon (within 30 days)
——————————————-

6. Password Expiration Settings
——————————–
fgedu: Password never expires
dev001: Password never expires

7. Failed Login Attempts
————————-

8. Password History Check
————————–
Password history not configured

# 1. 修改当前用户密码
# passwd
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 2. 修改指定用户密码
# passwd fgedu
Changing password for user fgedu.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 3. 非交互式设置密码
# echo “NewPassword123” | passwd –stdin fgedu
Changing password for user fgedu.
passwd: all authentication tokens updated successfully.

# 4. 查看用户密码状态
# passwd -S fgedu
fgedu PS 2026-04-02 0 99999 7 -1 (Password set, SHA512 crypt.)

# 状态说明：
# PS – Password Set（已设置密码）
# LK – Locked（已锁定）
# NP – No Password（无密码）

# 5. 查看所有用户密码状态
# passwd -Sa | head -n 10
root PS 2026-04-02 0 99999 7 -1 (Password set, SHA512 crypt.)
bin LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
daemon LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
adm LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
lp LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
sync LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
shutdown LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
halt LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
mail LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)
operator LK 2026-04-02 0 99999 7 -1 (Alternate authentication scheme in use.)

# 6. 锁定用户账户
# passwd -l fgedu
Locking password for user fgedu.
passwd: Success

# 查看锁定状态
# passwd -S fgedu
fgedu LK 2026-04-02 0 99999 7 -1 (Password locked.)

# 查看shadow文件
# grep “^fgedu:” /etc/shadow
fgedu:!!$6$rounds=4096$xxx:19500:0:99999:7:::

# 7. 解锁用户账户
# passwd -u fgedu
Unlocking password for user fgedu.
passwd: Success

# 查看解锁状态
# passwd -S fgedu
fgedu PS 2026-04-02 0 99999 7 -1 (Password set, SHA512 crypt.)

# 8. 删除用户密码
# passwd -d fgedu
Removing password for user fgedu.
passwd: Success

# 查看删除状态
# passwd -S fgedu
fgedu NP 2026-04-02 0 99999 7 -1 (Empty password.)

# 9. 设置密码过期
# passwd -e fgedu
Expiring password for user fgedu.
passwd: Success

# 查看过期状态
# chage -l fgedu | grep “Last password change”
Last password change : password must be changed

# 10. 设置密码最小使用天数
# passwd -n 1 fgedu
Adjusting aging data for user fgedu.
passwd: Success

# 查看设置
# chage -l fgedu | grep “Minimum number”
Minimum number of days between password change : 1

# 11. 设置密码最大使用天数
# passwd -x 90 fgedu
Adjusting aging data for user fgedu.
passwd: Success

# 查看设置
# chage -l fgedu | grep “Maximum number”
Maximum number of days between password change : 90

# 12. 设置密码过期警告天数
# passwd -w 7 fgedu
Adjusting aging data for user fgedu.
passwd: Success

# 查看设置
# chage -l fgedu | grep “Number of days of warning”
Number of days of warning before password expires : 7

# 13. 设置账户过期后禁用天数
# passwd -i 30 fgedu
Adjusting aging data for user fgedu.
passwd: Success

# 查看设置
# chage -l fgedu | grep “Password inactive”
Password inactive : 30

# 14. 查看密码信息
# passwd -S fgedu
fgedu PS 2026-04-02 1 90 7 30 -1 (Password set, SHA512 crypt.)

# 15. 批量修改密码
# cat > /tmp/user_passwords.txt << EOF user1:Password123 user2:Password456 user3:Password789 EOF # while IFS=':' read -r user pass; do echo "$pass" | passwd --stdin "$user" done < /tmp/user_passwords.txt Changing password for user user1. passwd: all authentication tokens updated successfully. Changing password for user user2. passwd: all authentication tokens updated successfully. Changing password for user user3. passwd: all authentication tokens updated successfully.

# 1. 生成随机密码
# openssl rand -base64 12
Kx8vN2mP9qRtLw==

# 设置随机密码
# RANDOM_PASS=$(openssl rand -base64 12)
# echo “$RANDOM_PASS” | passwd –stdin fgedu
Changing password for user fgedu.
passwd: all authentication tokens updated successfully.

# 2. 检查密码强度
# echo “WeakPass” | pwscore
Password quality check failed:
The password is shorter than 8 characters

# echo “StrongP@ssw0rd” | pwscore
100

# 3. 生成密码哈希
# openssl passwd -6 -salt “mysalt”
Password:
$6$mysalt$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# 4. 直接设置密码哈希
# usermod -p ‘$6$mysalt$hash’ fgedu

# 5. 检查密码是否在字典中
# echo “password” | cracklib-check
password: it is based on a dictionary word

# echo “Str0ng!P@ss” | cracklib-check
Str0ng!P@ss: OK

# 6. 批量检查密码强度
# cat > /tmp/check_passwords.sh << 'EOF' #!/bin/bash while read password; do result=$(echo "$password" | cracklib-check) echo "$result" done EOF # 7. 设置密码并强制修改 # echo "TempPass123" | passwd --stdin fgedu # chage -d 0 fgedu # 8. 设置临时密码（24小时后过期） # echo "TempPass123" | passwd --stdin tempuser # chage -E $(date -d "+1 day" +%Y-%m-%d) tempuser # 9. 设置服务账户密码（永不过期） # passwd -x -1 serviceuser Adjusting aging data for user serviceuser. passwd: Success # 10. 检查密码哈希算法 # grep "^fgedu:" /etc/shadow | cut -d: -f2 | cut -d$ -f2 6 # 11. 更改密码哈希算法 # authconfig --passalgo=sha512 --update # 12. 设置密码重用限制 # 编辑/etc/pam.d/system-auth password requisite pam_pwhistory.so remember=5 use_authtok # 13. 查看密码历史 # cat /etc/security/opasswd fgedu:1000:5:$6$xxx:$6$yyy:$6$zzz:$6$aaa:$6$bbb # 14. 清除密码历史 # > /etc/security/opasswd

# 15. 批量锁定账户
# for user in user1 user2 user3; do
passwd -l $user
done
Locking password for user user1.
passwd: Success
Locking password for user user2.
passwd: Success
Locking password for user user3.
passwd: Success

# 1. 查看用户密码过期信息
# chage -l fgedu
Last password change : Apr 02, 2026
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

# 2. 设置密码上次修改日期
# chage -d 2026-04-02 fgedu

# 3. 设置密码过期日期
# chage -E 2026-12-31 fgedu
# chage -l fgedu | grep “Account expires”
Account expires : Dec 31, 2026

# 4. 设置密码最大使用天数
# chage -M 90 fgedu
# chage -l fgedu | grep “Maximum number”
Maximum number of days between password change : 90

# 5. 设置密码最小使用天数
# chage -m 1 fgedu
# chage -l fgedu | grep “Minimum number”
Minimum number of days between password change : 1

# 6. 设置密码过期警告天数
# chage -W 7 fgedu
# chage -l fgedu | grep “Number of days of warning”
Number of days of warning before password expires : 7

# 7. 设置密码过期后账户禁用天数
# chage -I 30 fgedu
# chage -l fgedu | grep “Password inactive”
Password inactive : 30

# 8. 设置账户永不过期
# chage -E -1 fgedu
# chage -l fgedu | grep “Account expires”
Account expires : never

# 9. 设置密码永不过期
# chage -M -1 fgedu
# chage -l fgedu | grep “Password expires”
Password expires : never

# 10. 强制用户下次登录修改密码
# chage -d 0 fgedu
# chage -l fgedu | grep “Last password change”
Last password change : password must be changed

# 11. 设置临时账户（30天后过期）
# chage -E $(date -d “+30 days” +%Y-%m-%d) tempuser
# chage -l tempuser | grep “Account expires”
Account expires : May 02, 2026

# 12. 批量设置密码过期策略
# for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
chage -M 90 -m 1 -W 7 $user
done

# 13. 查看所有用户密码过期信息
# for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
echo “=== $user ===”
chage -l $user
done

# 14. 设置服务账户密码策略
# chage -M -1 -E -1 serviceuser

# 15. 检查即将过期的账户
# cat > /tmp/check_expiring.sh << 'EOF' #!/bin/bash TODAY=$(date +%s) DAYS=30 for user in $(awk -F: '$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
expire_date=$(chage -l $user | grep “Account expires” | awk -F: ‘{print $2}’ | xargs)
if [ “$expire_date” != “never” ]; then
expire_epoch=$(date -d “$expire_date” +%s)
diff=$(( ($expire_epoch – $TODAY) / 86400 ))
if [ $diff -le $DAYS ] && [ $diff -ge 0 ]; then
echo “$user: expires in $diff days ($expire_date)”
fi
fi
done
EOF

# chmod +x /tmp/check_expiring.sh
# /tmp/check_expiring.sh
tempuser: expires in 30 days (May 02, 2026)

# 1. 批量设置初始密码并强制修改
# cat > /tmp/batch_set_passwords.sh << 'EOF' #!/bin/bash USERLIST="/tmp/userlist.txt" LOGFILE="/tmp/password_setup.log" echo "Password Setup Log - $(date)" > $LOGFILE

while read username; do
# 检查用户是否存在
if ! id $username &>/dev/null; then
echo “User $username does not exist” | tee -a $LOGFILE
continue
fi

# 生成随机密码
password=$(openssl rand -base64 12)

# 设置密码
echo “$password” | passwd –stdin $username

# 强制下次登录修改密码
chage -d 0 $username

# 记录密码（实际生产中应通过安全渠道发送）
echo “$username:$password” >> /tmp/initial_passwords.txt

echo “Password set for $username” | tee -a $LOGFILE
done < $USERLIST echo "Password setup completed" | tee -a $LOGFILE EOF # 2. 批量重置密码 # cat > /tmp/batch_reset_passwords.sh << 'EOF' #!/bin/bash for user in user1 user2 user3; do # 生成随机密码 password=$(openssl rand -base64 12) # 设置密码 echo "$password" | passwd --stdin $user # 强制修改密码 chage -d 0 $user # 发送邮件通知 echo "Your new password is: $password" | mail -s "Password Reset" $user@fgedu.net echo "Password reset for $user" done EOF # 3. 批量设置密码策略 # cat > /tmp/batch_password_policy.sh << 'EOF' #!/bin/bash # 设置密码策略 POLICY_MAX_DAYS=90 POLICY_MIN_DAYS=1 POLICY_WARN_DAYS=7 POLICY_INACTIVE_DAYS=30 for user in $(awk -F: '$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
# 设置密码过期策略
chage -M $POLICY_MAX_DAYS -m $POLICY_MIN_DAYS -W $POLICY_WARN_DAYS -I $POLICY_INACTIVE_DAYS $user

echo “Password policy set for $user”
done

echo “Password policy applied to all users”
EOF

# 4. 批量锁定离职员工账户
# cat > /tmp/lock_departed_users.sh << 'EOF' #!/bin/bash DEPARTED_USERS="/tmp/departed_users.txt" while read username; do # 检查用户是否存在 if id $username &>/dev/null; then
# 锁定账户
passwd -l $username

# 设置账户过期
chage -E 0 $username

# 记录操作
echo “$(date): Locked user $username” >> /var/log/user_management.log

echo “User $username has been locked”
else
echo “User $username does not exist”
fi
done < $DEPARTED_USERS EOF # 5. 批量解锁账户 # cat > /tmp/batch_unlock_users.sh << 'EOF' #!/bin/bash USERLIST="/tmp/users_to_unlock.txt" while read username; do # 检查用户是否存在 if id $username &>/dev/null; then
# 解锁账户
passwd -u $username

# 清除失败登录记录
faillock –user $username –reset

# 重置密码过期
chage -d $(date +%Y-%m-%d) $username

echo “User $username has been unlocked”
fi
done < $USERLIST EOF # 6. 批量检查密码强度 # cat > /tmp/check_password_strength.sh << 'EOF' #!/bin/bash REPORT="/tmp/password_strength_report.txt" echo "Password Strength Report - $(date)" > $REPORT

for user in $(awk -F: ‘$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
# 检查密码状态
status=$(passwd -S $user | awk ‘{print $2}’)

case $status in
PS)
# 检查密码过期设置
max_days=$(chage -l $user | grep “Maximum number” | awk ‘{print $NF}’)
if [ “$max_days” == “99999” ]; then
echo “$user: Password never expires” >> $REPORT
fi
;;
LK)
echo “$user: Account locked” >> $REPORT
;;
NP)
echo “$user: No password set” >> $REPORT
;;
esac
done

echo “Report saved to $REPORT”
EOF

# 1. 配置密码复杂度要求
# cat > /tmp/configure_password_complexity.sh << 'EOF' #!/bin/bash # 备份原配置 cp /etc/security/pwquality.conf /etc/security/pwquality.conf.bak # 设置密码复杂度 cat > /etc/security/pwquality.conf << 'CONF' # Password quality requirements minlen = 8 minclass = 4 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 maxsequence = 3 maxclassrepeat = 3 gecoscheck = 1 dictcheck = 1 usercheck = 1 enforcing = 1 retry = 3 CONF echo "Password complexity configured" EOF # 2. 配置密码历史 # cat > /tmp/configure_password_history.sh << 'EOF' #!/bin/bash # 备份原配置 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak # 添加密码历史配置 if ! grep -q "pam_pwhistory.so" /etc/pam.d/system-auth; then sed -i '/^password.*pam_pwquality.so/a password requisite pam_pwhistory.so remember=5 use_authtok' /etc/pam.d/system-auth fi echo "Password history configured" EOF # 3. 配置登录失败锁定 # cat > /tmp/configure_login_lockout.sh << 'EOF' #!/bin/bash # 备份原配置 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak cp /etc/pam.d/password-auth /etc/pam.d/password-auth.bak # 配置登录失败锁定 # 编辑/etc/pam.d/system-auth sed -i '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent deny=5 unlock_time=1800' /etc/pam.d/system-auth sed -i '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail deny=5 unlock_time=1800' /etc/pam.d/system-auth sed -i '/^account.*pam_unix.so/a account required pam_faillock.so' /etc/pam.d/system-auth # 编辑/etc/pam.d/password-auth sed -i '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent deny=5 unlock_time=1800' /etc/pam.d/password-auth sed -i '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail deny=5 unlock_time=1800' /etc/pam.d/password-auth sed -i '/^account.*pam_unix.so/a account required pam_faillock.so' /etc/pam.d/password-auth echo "Login lockout configured" EOF # 4. 配置密码过期策略 # cat > /tmp/configure_password_expiry.sh << 'EOF' #!/bin/bash # 备份原配置 cp /etc/login.defs /etc/login.defs.bak # 设置密码过期策略 sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/' /etc/login.defs sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/' /etc/login.defs echo "Password expiry configured" EOF # 5. 应用密码策略到现有用户 # cat > /tmp/apply_password_policy.sh << 'EOF' #!/bin/bash POLICY_MAX_DAYS=90 POLICY_MIN_DAYS=1 POLICY_WARN_DAYS=7 POLICY_INACTIVE_DAYS=30 for user in $(awk -F: '$3 >= 1000 && $3 != 65534 {print $1}’ /etc/passwd); do
# 应用密码策略
chage -M $POLICY_MAX_DAYS -m $POLICY_MIN_DAYS -W $POLICY_WARN_DAYS -I $POLICY_INACTIVE_DAYS $user

echo “Password policy applied to $user”
done

echo “Password policy applied to all users”
EOF

# 6. 检查并修复弱密码
# cat > /tmp/fix_weak_passwords.sh << 'EOF' #!/bin/bash # 检查空密码账户 empty_passwords=$(awk -F: '$2 == "" {print $1}' /etc/shadow) if [ -n "$empty_passwords" ]; then echo "Found accounts with empty passwords:" echo "$empty_passwords" for user in $empty_passwords; do # 锁定账户 passwd -l $user echo "Locked user: $user" done fi # 检查MD5加密账户 md5_passwords=$(awk -F: '$2 ~ /^\$1\$/ {print $1}' /etc/shadow) if [ -n "$md5_passwords" ]; then echo "Found accounts with MD5 encryption:" echo "$md5_passwords" for user in $md5_passwords; do # 强制修改密码 chage -d 0 $user echo "Forced password change for: $user" done fi EOF # 7. 完整安全加固脚本 # cat > /tmp/security_hardening.sh << 'EOF' #!/bin/bash echo "Starting security hardening..." # 1. 配置密码复杂度 ./configure_password_complexity.sh # 2. 配置密码历史 ./configure_password_history.sh # 3. 配置登录失败锁定 ./configure_login_lockout.sh # 4. 配置密码过期策略 ./configure_password_expiry.sh # 5. 应用密码策略到现有用户 ./apply_password_policy.sh # 6. 检查并修复弱密码 ./fix_weak_passwords.sh echo "Security hardening completed" EOF # chmod +x /tmp/security_hardening.sh # /tmp/security_hardening.sh

# 案例1：用户无法登录
# 症状：用户输入正确密码后仍无法登录

# 排查步骤：
# 1. 检查账户状态
# passwd -S username
username LK 2026-04-02 0 99999 7 -1 (Password locked.)

# 2. 解锁账户
# passwd -u username
Unlocking password for user username.
passwd: Success

# 3. 检查密码过期
# chage -l username | grep “Password expires”
Password expires : Apr 01, 2026

# 4. 重置密码过期
# chage -M 90 username

# 案例2：密码修改失败
# 症状：用户修改密码时报错

# 排查步骤：
# 1. 检查密码复杂度要求
# cat /etc/security/pwquality.conf | grep -v “^#” | grep -v “^$”

# 2. 检查密码历史
# cat /etc/security/opasswd

# 3. 检查PAM配置
# cat /etc/pam.d/system-auth | grep password

# 4. 查看详细错误
# passwd username
Changing password for user username.
New password:
BAD PASSWORD: The password is shorter than 8 characters
New password:
BAD PASSWORD: The password fails the dictionary check – it is based on a dictionary word

# 案例3：账户被锁定
# 症状：账户因登录失败被锁定

# 排查步骤：
# 1. 检查失败登录记录
# faillock –user username
username:
When Type Service Orig-User
2026-04-02 10:00:00 TTY login username
2026-04-02 10:00:05 TTY login username

# 2. 清除失败记录
# faillock –user username –reset

# 3. 解锁账户
# passwd -u username

# 案例4：密码哈希算法问题
# 症状：密码验证失败

# 排查步骤：
# 1. 检查密码哈希算法
# grep “^username:” /etc/shadow | cut -d: -f2 | cut -d$ -f2
1

# 2. 检查系统配置
# authconfig –test | grep hashing
password hashing algorithm is sha512

# 3. 更新密码哈希
# echo “NewPassword” | passwd –stdin username
Changing password for user username.
passwd: all authentication tokens updated successfully.

# 案例5：密码文件损坏
# 症状：无法修改密码

# 排查步骤：
# 1. 检查文件权限
# ls -l /etc/passwd /etc/shadow
-rw-r–r–. 1 root root 1234 Apr 2 10:00 /etc/passwd
-rw——-. 1 root root 1234 Apr 2 10:00 /etc/shadow

# 2. 修复权限
# chmod 644 /etc/passwd
# chmod 400 /etc/shadow

# 3. 检查文件完整性
# pwck
user ‘adm’: directory ‘/var/adm’ does not exist
user ‘uucp’: directory ‘/var/spool/uucp’ does not exist
pwck: no changes

# 案例6：PAM配置错误
# 症状：无法修改密码

# 排查步骤：
# 1. 检查PAM配置
# cat /etc/pam.d/system-auth

# 2. 验证PAM配置
# pam_tally2 –user=username

# 3. 恢复默认PAM配置
# authconfig –updateall

# 案例7：密码策略冲突
# 症状：密码策略不生效

# 排查步骤：
# 1. 检查/etc/login.defs
# grep -E “^PASS_” /etc/login.defs

# 2. 检查chage设置
# chage -l username

# 3. 重新应用密码策略
# chage -M 90 -m 1 -W 7 username

# 案例8：密码过期后无法登录
# 症状：密码过期后用户无法登录

# 排查步骤：
# 1. 检查密码过期状态
# chage -l username | grep “Password expires”
Password expires : Mar 31, 2026

# 2. 重置密码
# echo “NewPassword” | passwd –stdin username

# 3. 更新密码过期日期
# chage -d $(date +%Y-%m-%d) username

# 案例9：root密码忘记
# 症状：忘记root密码

# 解决步骤：
# 1. 重启系统
# 2. 在GRUB菜单按e编辑
# 3. 在linux行添加rd.break
# 4. 按Ctrl+X启动
# 5. 重新挂载文件系统
# mount -o remount,rw /sysroot
# 6. 切换到系统根目录
# chroot /sysroot
# 7. 修改root密码
# passwd
# 8. 创建SELinux重标记文件
# touch /.autorelabel
# 9. 退出并重启
# exit
# exit

# 案例10：密码同步问题
# 症状：多个系统密码不同步

# 解决步骤：
# 1. 检查LDAP配置
# cat /etc/nsswitch.conf | grep passwd
passwd: files ldap

# 2. 检查LDAP连接
# ldapsearch -x -H ldap://ldap.fgedu.net -b “dc=fgedu,dc=net” “(uid=username)”

# 3. 同步密码
# passwd username
Changing password for user username.
New password:
Retype new password:
LDAP password information changed for username
passwd: all authentication tokens updated successfully.