Password Restrict.. Password History in RHEL 5.0

your_shadow03 · 08-12-2008, 11:46 PM

I cant see any option setting up Password Restrict or Password History in /etc/login.defs in RHEL 5.0?

Anyone having any idea how to setup that?

Mr. C. · 08-12-2008, 11:49 PM

See http://www.kernel.org/pub/linux/libs..._cracklib.html

your_shadow03 · 08-13-2008, 12:02 AM

Thanks for the quick reply.I checked with the same I guess I need those entries in my pam.conf:

Code:

passwd  password required       pam_cracklib.so retry=3
passwd  password required       pam_unix.so use_authtok

For password restrictional entry.

I dont see any option for password history and password complex ?

Mr. C. · 08-13-2008, 12:32 AM

It is noted as:

Quote:

Already used

Was the password used in the past? Previously used passwords are to be found in /etc/security/opasswd.

but see also: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

It works for users, not when root runs passwd user.

your_shadow03 · 08-13-2008, 01:55 AM

You are Genious Personality I think.
You deserves to be "LINUX GURU".

Thanks the link you sent solves my all queries.

"SMALL NAME(Mr. C) BUT GREAT THOUGHTS"

Thanks

your_shadow03 · 08-14-2008, 03:40 AM

Wait..
I need more help.I tried making these entries but when I am trying to change the user password as simpe dictionary word its taking without any restriction:

here are the files :

Code:

cat login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    include      system-auth

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    optional     pam_keyinit.so force revoke

 

[root@spitdbrep001 pam.d]# cat system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

 

account     required      pam_unix.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

 

password    requisite     pam_cracklib.so  retry=3 minlen=8

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authok

password    required      pam_deny.so

 

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

 

 

[root@spitdbrep001 pam.d]# cat passwd

#%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth

 

password  required pam_cracklib.so minlen=8

lcredit=1 ucredit=1 dcredit=1 ocredit=1

password reqired pam_unix.so use_authok md5 remember=8

Mr. C. · 08-14-2008, 10:33 AM

Does the dictionary exist (by default in /var/cache/cracklib)?