Debian 7.0
Sponsored Link

Set Password Rules
2013/05/29
 
Set Password Policy to let users Comply rules.
[1] Install cracklib module first.
root@dlp:~#
aptitude -y install libpam-cracklib
[2] Set number of days for password Expiration. Users must change their password within the days.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -M (days) (user)".
root@dlp:~#
vi /etc/login.defs
# line 155: set 60 for Password Expiration

PASS_MAX_DAYS
60
[3] Set Minimum number of days available of password.
Users must use their password at least this days after changing it.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -m (days) (user)".
root@dlp:~#
vi /etc/login.defs
# line 156: set 2 for Minimum number of days available

PASS_MIN_DAYS
2
[4] Set number of days for warnings before expiration.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -W (days) (user)".
root@dlp:~#
vi /etc/login.defs
# line 157: set 7 for number of days for warnings

PASS_WARN_AGE
7
[5] Limit using a password that was used in past.
Users can not set the same password within the generation.
root@dlp:~#
vi /etc/pam.d/common-password
# near line 26: prohibit to use the same password for 5 generation in past

password        [success=1 default=ignore]      pam_unix.so obscure sha512 \
                      remember=5
[6] Set minimum password length.
Users can not set thier password length less than set this parameter. ( minlen=N )
This setting linkages to other settings, so it need to set other settings like below.
root@dlp:~#
vi /etc/pam.d/common-password
# near line 25: set 8 for minimum password length

password        requisite                       pam_cracklib.so retry=3 \
                      minlen=8
[7] Set dcredit that forces users to include numbers in their password. ( dcredit=-N )
root@dlp:~#
vi /etc/pam.d/common-password
# near line 25: require to include 2 numbers in users password

password        requisite                       pam_cracklib.so retry=3 minlen=8 \
                      dcredit=-2 ucredit=0 lcredit=0 ocredit=0
[8] Set ucredit that forces users to include Capital characters in their password. ( ucredit=-N )
root@dlp:~#
vi /etc/pam.d/common-password
# near line 25: require to include 1 capital character

password        requisite                       pam_cracklib.so retry=3 minlen=8 \
                      dcredit=-2 ucredit=-1 lcredit=0 ocredit=0
[9] Set lcredit that forces users to include Lower cases in their password. ( lcredit=-N )
root@dlp:~#
vi /etc/pam.d/common-password
# near line 25: require to include 1 Lower case

password        requisite                       pam_cracklib.so retry=3 minlen=8 \
                      minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=0
[10] Set ocredit that forces users to include Symbols in their password. ( ocredit=-N )
root@dlp:~#
vi /etc/pam.d/common-password
# near line 25: require to include 1 Symbol

password        requisite                       pam_cracklib.so retry=3 minlen=8 \
                      dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1
[11] Set difok that forces more than N words in password before change are different from the one after change. ( difok=N )
root@dlp:~#
vi /etc/pam.d/common-password
# near line 215: require at least 3 words are different from before change

password        requisite                       pam_cracklib.so retry=3 minlen=8 \
                      dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
[12] Set number of login failure. Users' account will be locked after failing to login without a break.
root@dlp:~#
vi /etc/pam.d/common-auth
# near line 15: add follwos (this example sets login failure for 5 times. ( deny=5 ) )

auth    required                        pam_tally2.so deny=2

root@dlp:~#
vi /etc/pam.d/common-account
# near line 15: add follwos

account required                        pam_tally2.so

# make sure the number of failure of login about a user

root@dlp:~#
pam_tally2 -u fedora

Login           Failures Latest failure     From
fedora              3    05/30/13 15:44:30

# unlock a locked user

root@dlp:~#
pam_tally2 -r -u fedora

 
Tweet