My requirement was to enforce the password complexity for all the users of my RHEL 5 server (This will works for RHEL 4/5 also). This would be helpful to you also.
Password complexity is a set of rules which define what set of characters and how many of each characters must be in a password. My policy requirement was to have:
As a precautionary method, always I used to backup existing configuration file. To create a backup of the existing file:
$ cp /etc/pam.d/system-auth /root/system-auth
First I looked for the line containing the pam_cracklib module in the file /etc/pam.d/system-auth. In RHEL 5 and RHEL 6 it looks like this:
password requisite pam_cracklib.so try_first_pass retry=3
In RHEL 4 it looks like "password requisite /lib/security/$ISA/pam_cracklib.so"
This is the place where we need to edit and add my password policy configurations. I changed the line as given below to reflect the my password policy configuration requirements.
password requisite pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
Same can be configured in RHEL 4 as "password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1"
I had existing users on my system and I wanted to make sure they are complied with the password policy. They were enforced the change their password during the next login. To do this I needed to lock the user account, expire their password, and unlock the user account. Here are the simple step to accomplish this.
Lock the account:
$ usermod -L kushan
Expire their current password:
$ chage -d 0 kushan
Unlock the account:
$ usermod -U kushan
Check the status of their password. (This will show the current configuration of the user "kushan":
$ chage -l kushan
Description of the parameters used above is given below.
Password complexity is a set of rules which define what set of characters and how many of each characters must be in a password. My policy requirement was to have:
- Minimum Length = 10
- Number of digits = 1
- At least one uppercase letter
- At least one lowercase letter
- At least one other character.
As a precautionary method, always I used to backup existing configuration file. To create a backup of the existing file:
$ cp /etc/pam.d/system-auth /root/system-auth
First I looked for the line containing the pam_cracklib module in the file /etc/pam.d/system-auth. In RHEL 5 and RHEL 6 it looks like this:
password requisite pam_cracklib.so try_first_pass retry=3
In RHEL 4 it looks like "password requisite /lib/security/$ISA/pam_cracklib.so"
This is the place where we need to edit and add my password policy configurations. I changed the line as given below to reflect the my password policy configuration requirements.
password requisite pam_cracklib.so try_first_pass retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
Same can be configured in RHEL 4 as "password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1"
I had existing users on my system and I wanted to make sure they are complied with the password policy. They were enforced the change their password during the next login. To do this I needed to lock the user account, expire their password, and unlock the user account. Here are the simple step to accomplish this.
Lock the account:
$ usermod -L kushan
Expire their current password:
$ chage -d 0 kushan
Unlock the account:
$ usermod -U kushan
Check the status of their password. (This will show the current configuration of the user "kushan":
$ chage -l kushan
Description of the parameters used above is given below.
- retry=N: Prompt user at most N times before returning with error. The default is 1.
- minlen=N: The minimum acceptable size for the new password (plus one if credits are not disabled which is the default).
- reject_username: Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected.
- dcredit=N: (N >= 0) This is the maximum credit for having digits in the new password. The default for dcredit is 1.
- lcredit=N: (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1.
- ocredit=N: (N >= 0) This is the maximum credit for having other characters in the new password. The default for ocredit is 1.
- ucredit=N: (N >= 0) This is the maximum credit for having upper case letters in the new password. The default for ucredit is 1.