LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-25-2010, 12:23 AM   #1
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Rep: Reputation: 37
How to implement password policies?


How would i ensure that whenever any user changes the password it should meet following.
1)It should be more than 7 Characters.
2)Atleast one Upper case character,digit and special character present.
3)Password is not same as username or dictionary word .
4)User should get email after changing his password(I have already setup mail account and tested the setup).

Code:
Distribution Detail
# lsb_release -a
LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: EnterpriseEnterpriseServer
Description:    Enterprise Linux Enterprise Linux Server release 5.2 (Carthage)
Release:        5.2
Codename:       Carthage
# uname -a
Linux OFSMUW-VMGR-51 2.6.18-92.el5PAE #1 SMP Fri May 23 22:26:05 EDT 2008 i686 i686 i386 GNU/Linux

Last edited by pinga123; 11-25-2010 at 12:26 AM.
 
Old 11-25-2010, 12:41 AM   #2
JoshyJ
Member
 
Registered: Nov 2003
Location: Sydney , Australia
Distribution: Fedora
Posts: 49

Rep: Reputation: 1
For numbers 1,2,3 you would need to look into Pam authentication. For Fedora the file you would need to edit is the /etc/pam.d/system-auth
 
1 members found this post helpful.
Old 11-25-2010, 12:53 AM   #3
Ehtetur
Member
 
Registered: Mar 2008
Location: Atlanta, GA
Distribution: Red Hat Enterprise Linux
Posts: 52

Rep: Reputation: 16
The module pam_passwdqc is used to configure the password settings..

Here's a site that gives you all the gory* details for setting up password policies.

*Actually, they're pretty simple to do. What's gory is Nick Nolte's mug shot on top of the page.
 
1 members found this post helpful.
Old 11-25-2010, 01:05 AM   #4
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by JoshyJ View Post
For numbers 1,2,3 you would need to look into Pam authentication. For Fedora the file you would need to edit is the /etc/pam.d/system-auth
Here posting first few lines from /etc/pam.d/system-auth .
How would i make the changes permanent .
Code:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 
Old 11-25-2010, 02:07 AM   #5
JoshyJ
Member
 
Registered: Nov 2003
Location: Sydney , Australia
Distribution: Fedora
Posts: 49

Rep: Reputation: 1
It is basically telling you if you ever run 'authconfig' command it will overwrite whatever you have edited. So what you would do is edit the file to what you want. But don't ever run 'authconfig'.

What I would do also just in case you do run 'authconfig' for whatever reason. Is just to create a copy of the file once you have edited it. So if you ever lose it you can use the backup copy.


Quote:
Originally Posted by pinga123 View Post
Here posting first few lines from /etc/pam.d/system-auth .
How would i make the changes permanent .
Code:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 
Old 11-25-2010, 02:23 AM   #6
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by Ehtetur View Post
The module pam_passwdqc is used to configure the password settings..

Here's a site that gives you all the gory* details for setting up password policies.

*Actually, they're pretty simple to do. What's gory is Nick Nolte's mug shot on top of the page.
Here is what i have done according to the link.
I have opened the file made following changes restart the system.
Tried to change the password of root user with minimum 5 characters.
to my surprise i was able to change the password .
How this happened ?Do i need to run any command to force PAM authentication?
content from /etc/pam.d/system-auth (The one i have changed is highlighted in bold).
Quote:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0

Last edited by pinga123; 11-25-2010 at 02:26 AM.
 
Old 11-25-2010, 02:37 AM   #7
JoshyJ
Member
 
Registered: Nov 2003
Location: Sydney , Australia
Distribution: Fedora
Posts: 49

Rep: Reputation: 1
Replace this line.

password requisite pam_cracklib.so try_first_pass retry=3

With this.

password requisite pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0
 
Old 11-25-2010, 05:22 AM   #8
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 37
Quote:
Originally Posted by JoshyJ View Post
Replace this line.

password requisite pam_cracklib.so try_first_pass retry=3

With this.

password requisite pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0
Did it but same problem BTW i m trying to change root's password does it make any difference?
 
Old 11-26-2010, 04:35 AM   #9
JoshyJ
Member
 
Registered: Nov 2003
Location: Sydney , Australia
Distribution: Fedora
Posts: 49

Rep: Reputation: 1
Yes sorry there is a difference. Root is allowed to change password even if it is a bad password. It will warn root but will still change.

Quote:
Originally Posted by pinga123 View Post
Did it but same problem BTW i m trying to change root's password does it make any difference?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems setting Password policies kentrimble Linux - Newbie 2 01-31-2010 08:36 PM
Password Policies -- Tricky question?? sachinh Linux - General 3 02-08-2008 07:18 PM
Applying Password Policies to All Users kaplan71 Linux - Security 1 11-29-2007 11:03 AM
how to implement MLS policies? gaurav gupta Linux - Security 2 09-26-2007 12:24 AM
Howto change system password policies (passwd length, complexity) tisource Linux - Security 3 09-06-2005 01:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration