Set Password Rules
2011/07/11 |
Set Password Policy to let users Comply rules.
|
|
[1] | Set number of days for password Expiration. Users must change their password within the days. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -M (days) (user)". |
[root@dlp ~]#
vi /etc/login.defs # line 17: set 60 for Password Expiration PASS_MAX_DAYS 60
|
[2] | Set Minimum number of days available of password. Users must use their password at least this days after changing it. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -m (days) (user)". |
[root@dlp ~]#
vi /etc/login.defs # line 18: set 2 for Minimum number of days available PASS_MIN_DAYS 2
|
[3] | Set number of days for warnings before expiration. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -W (days) (user)". |
[root@dlp ~]#
vi /etc/login.defs # line 20: set 7 for number of days for warnings PASS_WARN_AGE 7
|
[4] | Limit using a password that was used in past. Users can not set the same password within the generation. |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 16: prohibit to use the same password for 5 generation in past password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok \ remember=5 |
[5] | Set minimum password length. Users can not set thier password length less than set this parameter. ( minlen=N ) This setting linkages to other settings, so it need to set other settings like below. |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: set 8 for minimum password length password requisite pam_cracklib.so try_first_pass retry=3 type= \ minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0 |
[6] | In addition to the setting above, Set dcredit that forces users to include numbers in their password. ( dcredit=-N ) |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: require to include 2 numbers in users password password requisite pam_cracklib.so try_first_pass retry=3 type= \ minlen=8 dcredit=-2 ucredit=0 lcredit=0 ocredit=0 |
[7] | In addition to the setting above, Set ucredit that forces users to include Capital characters in their password. ( ucredit=-N ) |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: require to include 1 capital character password requisite pam_cracklib.so try_first_pass retry=3 type= \ minlen=8 dcredit=-2 ucredit=-1 lcredit=0 ocredit=0 |
[8] | In addition to the setting above, Set lcredit that forces users to include Lower cases in their password. ( lcredit=-N ) |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: require to include 1 Lower case password requisite pam_cracklib.so try_first_pass retry=3 type= \ minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=0 |
[9] | In addition to the setting above, Set ocredit that forces users to include Symbols in their password. ( ocredit=-N ) |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: require to include 1 Symbol password requisite pam_cracklib.so try_first_pass retry=3 type= \ minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1 |
[10] | Set difok that forces more than N words in password before change are different from the one after change. ( difok=N ) |
[root@dlp ~]#
vi /etc/pam.d/system-auth # near line 15: require at least 3 words are different from before change password requisite pam_cracklib.so try_first_pass retry=3 type=
difok=3 |
[11] | Set number of login failure. Users' account will be locked after failing to login without a break. |
[root@dlp ~]#
vi /etc/pam.d/system-auth # add like follows ( this example sets login failure for 5 times. ( deny=5 ) ) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=5 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
auth
accountrequired pam_deny.so required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet
account
required pam_permit.so # make sure the number of failure of login about a user [root@dlp ~]# pam_tally2 -u cent Login Failures Latest failure From
cent
7 04/27/11 13:10:26 ttyS0 # unlock a locked user [root@dlp ~]# pam_tally2 -r -u cent
* sshd refers not to "system-auth" but to "password-auth", so if you apply login failure setting for SSH,
apply the same settings with above in "/etc/pam.d/password-auth", too. |
[12] | Change password encryption algorithm. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -d 0 (user)" and let us change their password forcely on next login. |
# make sure current algorithm [root@dlp ~]# authconfig --test | grep hashing
password hashing algorithm is md5
# chnage algorithm to sha512
[root@dlp ~]#
[root@dlp ~]# authconfig --passalgo=sha512 --update authconfig --test | grep hashing password hashing algorithm is sha512 |