passwd

---

Set Password Rules

 

[1]

Set Password Rules for security reasons.

Set number of days for password Expiration.

Users must change their password within the days.

This setting impacts only when creating a user, not impacts to exisiting users.

If set to exisiting users, run the command "chage -M (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 25: set 60 for Password Expiration

PASS_MAX_DAYS 60

[2]

Set minimum number of days available of password.

Users must use their password at least this days after changing it.

This setting impacts only when creating a user, not impacts to exisiting users.

If set to exisiting users, run the command "chage -m (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 26: set 2 for Minimum number of days available

PASS_MIN_DAYS 2

[3]

Set number of days for warnings before expiration.

This setting impacts only when creating a user, not impacts to exisiting users.

If set to exisiting users, run the command "chage -W (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 28: set 7 for number of days for warnings

PASS_WARN_AGE 7

[4]

Limit using a password that was used in past.

Users can not set the same password within the generation.

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: prohibit to use the same password for 5 generation in past

password     sufficient     pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

[5]

Set minimum password length.

Users can not set thier password length less than this parameter.

# set 8 for minimum password length

[root@dlp ~]# authconfig --passminlen=8 --update

# the parameter is set in a config below

[root@dlp ~]# grep "^minlen" /etc/security/pwquality.conf 

minlen = 8

[6]

Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others)

# set 2 for minimum number of required classes of characters

[root@dlp ~]# authconfig --passminclass=2 --update

# the parameter is set in a config below

[root@dlp ~]# grep "^minclass" /etc/security/pwquality.conf 

minclass = 2

[7]

Set maximum number of allowed consecutive same characters in the new password.

# set 2 for maximum number of allowed consecutive same characters

[root@dlp ~]# authconfig --passmaxrepeat=2 --update

# the parameter is set in a config below

[root@dlp ~]# grep "^maxrepeat" /etc/security/pwquality.conf 

maxrepeat = 2

[8]

Set maximum number of allowed consecutive characters of the same class in the new password.

# set 4 for maximum number of allowed consecutive characters of the same class

[root@dlp ~]# authconfig --passmaxclassrepeat=4 --update

# the parameter is set in a config below

[root@dlp ~]# grep "^maxclassrepeat" /etc/security/pwquality.conf 

maxclassrepeat = 4

[9]

Require at least one lowercase character in the new password.

[root@dlp ~]# authconfig --enablereqlower --update

# the parameter is set in a config below

# (if you'd like to edit the value, edit it with vi and others)

[root@dlp ~]# grep "^lcredit" /etc/security/pwquality.conf 

lcredit = -1

[10]

Require at least one uppercase character in the new password.

[root@dlp ~]# authconfig --enablerequpper --update

# the parameter is set in a config below

# (if you'd like to edit the value, edit it with vi and others)

[root@dlp ~]# grep "^ucredit" /etc/security/pwquality.conf 

ucredit = -1

[11]

Require at least one digit in the new password.

[root@dlp ~]# authconfig --enablereqdigit --update

# the parameter is set in a config below

# (if you'd like to edit the value, edit it with vi and others)

[root@dlp ~]# grep "^dcredit" /etc/security/pwquality.conf 

dcredit = -1

[12]

Require at least one other character in the new password.

[root@dlp ~]# authconfig --enablereqother --update

# the parameter is set in a config below

# (if you'd like to edit the value, edit it with vi and others)

[root@dlp ~]# grep "^ocredit" /etc/security/pwquality.conf 

ocredit = -1

[13]

Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb')

[root@dlp ~]# vi /etc/security/pwquality.conf

# add to the end

maxsequence = 3

[14]

Set number of characters in the new password that must not be present in the old password.

[root@dlp ~]# vi /etc/security/pwquality.conf

# add to the end

difok = 5

[15]

Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password.

[root@dlp ~]# vi /etc/security/pwquality.conf

# add to the end

gecoscheck = 1

[16]

Set Ssace separated list of words that must not be contained in the password.

[root@dlp ~]# vi /etc/security/pwquality.conf

# add to the end

badwords = denywords1 denywords2 denywords3

[17]

Set hash/crypt algorithm for new passwords. (default is sha512)

# show current algorithm

[root@dlp ~]# authconfig --test | grep hashing 

password hashing algorithm is md5

# chnage algorithm to sha512

[root@dlp ~]# authconfig --passalgo=sha512 --update

[root@dlp ~]# authconfig --test | grep hashing 

password hashing algorithm is sha512

-----