Tuesday, February 28, 2012

Enforcing to set Strong password in Linux

From release 4, RedHat comes with a Pam module called "pam_cracklib" using which we can enforce the user to set Strong password.

Lets say we have to set the Password requirement as follows:
Minimum length of password should be 8
Minimum number of lower case letters should be 1
Minimum number of upper case letters should be 2
Minimum number of digits should be 2
Minimum number of other characters should be 1
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in bold:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Now verify that the new password restrictions work for new passwords for normal user. To test it, simply login as a non-root user and change the password using the 'passwd' command. Note that the above requirements are not enforced if you run the 'passwd' command under root. 

Settings in tabular form:
pam_cracklib.sominlen=8Minimum length of password is 8
pam_cracklib.solcredit=-1Minimum number of lower case letters is 1
pam_cracklib.soucredit=-2Minimum number of upper case letters is 2
pam_cracklib.sodcredit=-2Minimum number of digits is 2
pam_cracklib.soocredit=-1Minimum number of other characters is 1

No comments:

Post a Comment