LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   password policy (http://www.linuxquestions.org/questions/linux-security-4/password-policy-188382/)

Nick Pontelando 06-01-2004 07:55 AM

password policy
 
Hello,

Trying to setup/enforce a password policy.

Want to require users to enter an 8 character password with 1 numeric and 1 special character, 90 day expiration, 120 day inactivity, 3 try lockout.

Have looked at PAM in an attempt to setup some of the initial password requirements (8 char, 1 digit, 1 special) but can't seem to get any of it working. Tried making changes to /etc/pam.d/passwd and /etc/pam.d/system-auth using cracklib with the various credit parameters as specified in the PAM documentation but can't seem to get it to work.

Also can't seem to find thorough documentation on the xcredit parameters, or for system-auth.

Any suggestions/pointers would be appreciated.

Thanks

SciYro 06-01-2004 08:23 AM

what does PAM have to do with password security? , maybe you could write a script that people could use to make there passwords with, or modify the program that sets the passwords to check for you requirements

Nick Pontelando 06-01-2004 08:35 AM

I believe PAM is documented to provide services regarding the password itself. I tried adding the following line to /etc/pam.d/password and /etc/pam.d/system-auth...

password required /lib/security/pam_cracklib.so dcredit=-1 ocredit=-1 minlen=8

This is supposed to require a password with at least 1 digit and 1 "other" character, with a minimum length of 8 characters - if I am reading the documentation correctly.

todw1fd 06-01-2004 03:21 PM

Trying to do the same think with RH Enterprise 3 and having about the same amount of success trying to configure the system-auth file. I too would love some help. While I don't mind working at the command line, I would have thought that RH might have made this a bit easier all things considered.

Nick Pontelando 06-02-2004 07:26 AM

I think some of this is done through the shadow file. If you use X and go to System Settings=>Users and Groups=>select a user=>Password Info you will see some entrys for password aging. Changing this GUI modifies the /etc/shadow file. I would like to know if there is a command line utility to do this, or if it is considered good practice to modify /etc/shadow using vi or some other editor. But this only effects password aging and not password content.

Mathieu 06-02-2004 12:09 PM

To make modifications to the /etc/shadow file, you can use the usermod command.
Eventhough you are allowed to modify the shadow file manually, I encourage you to use the usermod command.

In order to implement all the above mentioned login rules for new users, you will need to modify the /etc/login.defs file.

Also, the /etc/skel/ directory contains default configuration files which will be copied to a new users HOME directory.
And if you want to add login scripts or other custom configuration settings which will be applied to all users at log-on, you can add them to the /etc/profile.local file.

Nick Pontelando 06-02-2004 02:20 PM

Thanks Mathieu.

Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?

unSpawn 06-03-2004 12:53 PM

Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?
Could block 'em off using pam_tally.

lmcdrra 08-15-2012 10:07 AM

Quote:

Originally Posted by Nick Pontelando (Post 966408)
I believe PAM is documented to provide services regarding the password itself. I tried adding the following line to /etc/pam.d/password and /etc/pam.d/system-auth...

password required /lib/security/pam_cracklib.so dcredit=-1 ocredit=-1 minlen=8

This is supposed to require a password with at least 1 digit and 1 "other" character, with a minimum length of 8 characters - if I am reading the documentation correctly.

I think you are not reading documentation correctly. minlen is minimal numbe of credits. It is also not sure what do you mean by "not working".. does system accepts passworsd that it should not? Or your aparently valid passowrd is rejected?

unSpawn 08-15-2012 10:50 AM

Necroposting, the practice of responding to a thread that died a long time ago, is in this case not that useful. As the OP left several years ago. Please choose where you post carefully. Thread closed.


All times are GMT -5. The time now is 10:09 AM.