Password Policies

---

Set Password Policies

 

[1]

Set Password Policy to let users Comply rules.

Set number of days for password Expiration. Users must change their password within the days.

This setting impact only when creating a user, not impact to exisiting users.

If set to exisiting users, run the command "chage -M (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 17: set 60 for Password Expiration

PASS_MAX_DAYS 60

[2]

Set Minimum number of days available of password.

Users must use their password at least this days after changing it.

This setting impact only when creating a user, not impact to exisiting users.

If set to exisiting users, run the command "chage -m (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 18: set 2 for Minimum number of days available

PASS_MIN_DAYS 2

[3]

Set number of days for warnings before expiration.

This setting impact only when creating a user, not impact to exisiting users.

If set to exisiting users, run the command "chage -W (days) (user)".

[root@dlp ~]# vi /etc/login.defs

# line 20: set 7 for number of days for warnings

PASS_WARN_AGE 7

[4]

Limit using a password that was used in past.

Users can not set the same password within the generation.

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 16: prohibit to use the same password for 5 generation in past

passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok \

 remember=5

[5]

Set minimum password length.

Users can not set thier password length less than set this parameter. ( minlen=N )

This setting linkages to other settings, so it need to set other settings like below.

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: set 8 for minimum password length

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= \

 minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0

[6]

In addition to the setting above, Set dcredit that forces users to include numbers in their password. ( dcredit=-N )

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: require to include 2 numbers in users password

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= \

 minlen=8 dcredit=-2 ucredit=0 lcredit=0 ocredit=0

[7]

In addition to the setting above, Set ucredit that forces users to include Capital characters in their password. ( ucredit=-N )

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: require to include 1 capital character

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= \

 minlen=8 dcredit=-2 ucredit=-1 lcredit=0 ocredit=0

[8]

In addition to the setting above, Set lcredit that forces users to include Lower cases in their password. ( lcredit=-N )

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: require to include 1 Lower case

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= \

 minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=0

[9]

In addition to the setting above, Set ocredit that forces users to include Symbols in their password. ( ocredit=-N )

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: require to include 1 Symbol

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= \

 minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1

[10]

Set difok that forces more than N words in password before change are different from the one after change. ( difok=N )

[root@dlp ~]# vi /etc/pam.d/system-auth

# near line 15: require at least 3 words are different from before change

passwordrequisitepam_cracklib.so try_first_pass retry=3 type= difok=3

[11]

Set number of login failure. Users' account will be locked after failing to login without a break.

[root@dlp ~]# vi /etc/pam.d/system-auth

# add like follows ( this example sets login failure for 5 times. ( deny=5 ) )

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

authrequiredpam_env.so

auth required pam_tally2.so deny=5

authsufficientpam_fprintd.so

authsufficientpam_unix.so nullok try_first_pass

authrequisitepam_succeed_if.so uid >= 500 quiet

authrequiredpam_deny.so

accountrequiredpam_unix.so

account required pam_tally2.so

accountsufficientpam_localuser.so

accountsufficientpam_succeed_if.so uid < 500 quiet

accountrequiredpam_permit.so

# make sure the number of failure of login about a user

[root@dlp ~]# pam_tally2 -u cent

LoginFailuresLatest failureFrom

cent704/27/11 13:10:26ttyS0

# unlock a locked user

[root@dlp ~]# pam_tally2 -r -u cent

* sshd refers not to "system-auth" but to "password-auth", so if you apply login failure setting for SSH, apply the same settings with above in "/etc/pam.d/password-auth", too.

[12]

Change password encryption algorithm.

This setting impact only when creating a user, not impact to exisiting users.

If set to exisiting users, run the command "chage -d 0 (user)" and let us change their password forcely on next login.

# make sure current algorithm

[root@dlp ~]# authconfig --test | grep hashing 

password hashing algorithm is md5

# chnage algorithm to sha512

[root@dlp ~]# authconfig --passalgo=sha512 --update

[root@dlp ~]# authconfig --test | grep hashing 

password hashing algorithm is sha512

---