Configuring Password Policy on CentOS 6
About Password Policy
Password policy is a set of rules that must to be satisfied when setting a password. Password policy is an important factor in computer security, specially since user passwords are too often the main reason for computer system security breaches. This is why most companies and organizations incorporate password policy into the company official regulations. All users and their passwords must comply to official company password policy.
Password policy usually defines:
- Password Aging
- Password Length
- Password Complexity
- Number of Login Failures
- Re-Used Password Deny
Step 1 – Configuring /etc/login.defs
Password aging controls and password length are defined in /etc/login.defs file. Password aging refers to the maximum number of days password may be used, minimum number of days allowed between password changes and more as seen below and password length refers to the number of characters that need to be used in password.
To configure password aging controls and password length edit /etc/login.defs file and PASS values according to your company policy. The password aging controls and password length do not affect existing users – they only affect newly created users! PASS_MAX_DAYS – Maximum number of days a password may be used. PASS_MIN_DAYS – Minimum number of days allowed between password changes. PASS_MIN_LEN – Minimum acceptable password length. PASS_WARN_AGE – Number of days warning given before a password expires.
Example configuration file /etc/login.defs:
# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. #
# *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 2 PASS_MIN_LEN 9 PASS_WARN_AGE 14
...
Step 2 – Configuring /etc/pam.d/system-auth
By editing /etc/pam.d/system-auth configuration file we can configure the password complexity and deny a number of re-used passwords. Password complexity refers to the complexity of the characters used in password and denying re-used passwords refers to denying the desired number of passwords the user used in the past. By setting password complexity, we can force a user to use the desired number of numbers, capital characters, lower case characters and symbols in his password. If he does not use the characters we specified the password will not be accepted by the system.
- Force Capital Characters In Passwords – ucredit=-X – where X is the number of capital characters required in password
- Force Lower Case Characters In Passwords – lcredit=-X – where X is the number of lower case characters required in password
- Force Numbers In Passwords – dcredit=-X – where X is the number numbers required in password
- Force The Use Of Symbols In Passwords – ocredit=-X – where X is the number of symbols required in password
password requisite pam_cracklib.so try_first_pass retry=3 type= ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
- Deny Re-Used Passwords – remember=X – where X is the number of past passwords to deny
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
Example configuration file /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Step 3 – Set The Number Of Login Failures
To set the number of login failures we must edit /etc/pam.d/password-auth file. Number of login failures refers to the number of failed logins user can try before his account is locked out. When the account is locked out system administrator must unlock this account. To configure the number of login failures two new lines need to be added to /etc/pam.d/password-auth file. The parameter “deny=X” (where X is the number of login failures) configures the number of login failures permitted before the account is locked.
auth required pam_tally2.so deny=3 account required pam_tally2.so
Example configuration file /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=3 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
This post was written by GeekPeek.Net and first appeared on DigitalOcean!
3 Comments
Leave a Reply