Linux Password Controls
I'm having an issue with password controls. I'd like to avoid installing additional PAM's if I can. I'd like to use RedHat's built-in functionality for applying some control on passwords. Please keep in mind that I'm an extreme newbie, so I tend to need more explaining.
Systems: RedHat 8.0 & RedHat 9.0
Here's what I have done so far. I have created a user with the following:
Username: "scott"
Password: "pass123456$"
I want the user to log on to the system for the first time using a password I supply to him (in this case "pass123456$"), and be forced to change that password by the system. I want the system to force the user's password to be:
1 - 11 chars in length, or longer
2 - Contain 1 number
3 - Contain 1 special char like "$"
I also want all future password changes that the user invokes, or that the system forces, to follow those rules. So far, I've edited the file "/etc/pam.d/system-auth" to show the following:
***************************************
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=11 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
****************************************
I've also tried several variations of this, such as "minlen=10 dcredit=1 ocredit=1".
I have tried running the following commands to force a change at initial login:
usermod –L scott
chage –d 0 scott
usermod –p “” scott
The commands above DO force the user to change his/her pass at first login, but it removes the password I previously set and doesn't require an initial password. This is NOT what I want. I want the user to have to enter the password that I give him, THEN be forced to change it.
More importantly, the password rules I set in "/etc/pam.d/system-auth" do not apply. User "scott" can successfully change his/her password to "helloworld" when he logs on, which shouldn't be the case.
Last, but not least, I would love to know how to get the user's account locked out for a period of 15 minutes after 3 consecutive, unsuccessful logons.
Any help you can provide would be greatly appreciated. Thanks!,
Scott
|