Enforcing strong passwords in Linux using PAM (Pluggable Authentication Modules)
In this post I am going to share how can we force users to set strong passwords in Linux using pam_cracklib module in PAM.
It will help to provide security for all users on the system.
Note: If root is changing password for any user then this policy will not effect for root user. Root will bypass the policy.
Example:
- Prompt 2 times for password change else will error in case of an error
- 8 characters minimum length (minlen option)
- at least 6 characters should be different from old password when entering a new one (difok option)
- at least 1 digit (dcredit option)
- at least 1 uppercase (ucredit option)
- at least 1 other character (ocredit option)
- at least 1 lowercase (lcredit option)
Edit the /etc/pam.d/passwd file and enter as:
#%PAM-1.0
password required pam_cracklib.so retry=2 minlen=8 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password required pam_unix.so use_authtok sha512 shadow
password required pam_cracklib.so retry=2 minlen=8 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password required pam_unix.so use_authtok sha512 shadow
Sample Output:
File Content for /etc/pam.d/passwd
User tries to change password for simple format.
Post a Comment
Post a Comment