Share, , Google Plus, Pinterest,

Print

Posted in:

Configure Password Policy on CentOS 6

Configuring Password Policy on CentOS 6

About Password Policy

Password policy is a set of rules that must to be satisfied when setting a password. Password policy is an important factor in computer security, specially since user passwords are too often the main reason for computer system security breaches. This is why most companies and organizations incorporate password policy into the company official regulations. All users and their passwords must comply to official company password policy.

Password policy usually defines:

  • Password Aging
  • Password Length
  • Password Complexity
  • Number of Login Failures
  • Re-Used Password Deny
Configuring Password Policy on CentOS 6
Configuring Password Policy on CentOS 6

 

Step 1 – Configuring /etc/login.defs

Password aging controls and password length are defined in /etc/login.defs file. Password aging refers to the maximum number of days password may be used, minimum number of days allowed between password changes and more as seen below and password length refers to the number of characters that need to be used in password.

To configure password aging controls and password length edit /etc/login.defs file and PASS values according to your company policy. The password aging controls and password length do not affect existing users –  they only affect newly created users! PASS_MAX_DAYS – Maximum number of days a password may be used. PASS_MIN_DAYS – Minimum number of days allowed between password changes. PASS_MIN_LEN – Minimum acceptable password length. PASS_WARN_AGE – Number of days warning given before a password expires.

Example configuration file /etc/login.defs:

#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_LEN 9
PASS_WARN_AGE 14
...

Step 2 – Configuring /etc/pam.d/system-auth

By editing /etc/pam.d/system-auth configuration file we can configure the password complexity and deny a number of re-used passwords. Password complexity refers to the complexity of the characters used in password and denying re-used passwords refers to denying the desired number of passwords the user used in the past. By setting password complexity, we can force a user to use the desired number of numbers, capital characters, lower case characters and symbols in his password. If he does not use the characters we specified the password will not be accepted by the system.

  • Force Capital Characters In Passwords – ucredit=-X – where X is the number of capital characters required in password
  • Force Lower Case Characters In Passwords – lcredit=-X – where X is the number of lower case characters required in password
  • Force Numbers In Passwords – dcredit=-X – where X is the number numbers required in password
  • Force The Use Of Symbols In Passwords – ocredit=-X – where X is the number of symbols required in password
password requisite pam_cracklib.so try_first_pass retry=3 type= ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
  • Deny Re-Used Passwords – remember=X – where X is the number of past passwords to deny
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Example configuration file /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

Step 3 – Set The Number Of Login Failures

To set the number of login failures we must edit /etc/pam.d/password-auth file. Number of login failures refers to the number of failed logins user can try before his account is locked out. When the account is locked out system administrator must unlock this account. To configure the number of login failures two new lines need to be added to /etc/pam.d/password-auth file. The parameter “deny=X” (where X is the number of login failures) configures the number of login failures permitted before the account is locked.

auth           required      pam_tally2.so deny=3
account     required      pam_tally2.so

Example configuration file /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

This post was written by GeekPeek.Net and first appeared on DigitalOcean!

  • Invtr

    Doesn’t seem like you’re an RHC lol..

    • Mitch

      Invtr you could be too, just study hard for couple of months and you’re good to go 😉

      • Invtr

        Funny man tricks are for kids