Thanks to all who posted suggestions and help here. I eventually solved the problem but in order to do so, I used pam_cracklib.so instead. This requires a little explanation :
Originally, I tried using pam_cracklib.so but discovered that it apparently only worked for non-root users. That was a problem because password policy enforcement for root was something I needed. So I turned to pam_passwdqc.so as that was supposed to support password complexity for root.
Having gone around in circles and basically strangled myself trying to get pam_passwdqc.so to work, I found out today that the enforcement of password complexity for root is actually supported in the latest version of pam_cracklib.so. So feeling like a twit, I managed to get what I wanted working using pam_cracklib.so in the end.
I am posting my solution here, in case anybody else wants to get this to work. Sort of makes the pain I went through sort of worth it
.
This is for CENTOS 6/RHEL6 and provides :
- a minimum password length of 12 characters
- password complexity - 3 out of 4 character types of (lowercase, uppercase, numerical digits, other symbols)
- the ability to remember the last 5 passwords entered
- policies are enforce for root
Code:
password required pam_cracklib.so retry=3 minlen=12 difok=3 minclass=3 lcredit=0 ucredit=0 dcredit=0 ocredit=0 enforce_for_root
password required pam_pwhistory.so use_authtok remember=3 enforce_for_root use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
Note that the version of PAM you are running should be at least 1.1.1-13. Previous versions apparently have some bugs that prevent the enforcement of the policies on root. See here for more details on that :
http://rhn.redhat.com/errata/RHSA-2013-0521.html
Thanks again,
Sean
