How to implement password policy in RHEL Linux with examples


Tips and Tricks, How To, Linux

In this article we will implement password policy with the certain list of requirements on our CentOS/RHEL 7 Linux node. These requirements are covered in separate heading title. In RHEL/CentOS 7 we can implement password policy using pwquality.conf, but you can also continue to use system-auth and password-auth inside /etc/pam.d but with pwquality.conf the steps to implement password policy is comparatively simpler.

How to implement password policy in RHEL Linux with examples

 

Implement Password Policy

With RHEL 7 we can implement password policy via /etc/security/pwquality.conf where pwquality.conf is the configuration for the libpwquality library. It provides a way to configure the default password quality requirements for the system passwords. This file is read by the libpwquality library and utilities that use this library for checking and generating passwords. The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = sign is ignored.

 

Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)

Insert the following in /etc/pam.d/system-auth and /etc/pam.d/password-auth (after pam_pwquality.so line):

password    requisite     pam_pwhistory.so remember=5 use_authtok

For more information follow How to prevent user from using old password (or re-using) again in Linux

 

Requirement 2. Password size (Minimum acceptable size for the new password).

Insert the following option in /etc/security/pwquality.conf:

minlen = 9

The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other,upper, lower and digit). The default for this parameter is 9 which is good for an old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system.

NOTE:
There is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If it is required to allow passwords as short as 5 characters this module shouldn't be used.

 

Requirement 3. Set limit to number of digits in password.

Minimum number of numeric characters (dcredit=N)

(N >= 0) This is the maximum credit for having digits in the new password. If password has less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.

Insert the following option in /etc/security/pwquality.conf:

dcredit = -1

Here -1 is the minimum credit for having required digits in password

 

Requirement 4. Set limit to number of Upper Case characters in password

Minimum number of upper case letters (ucredit=N)

(N >= 0) This is the maximum credit for having upper case letters in the new password. If password has less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.

Insert the following option in /etc/security/pwquality.conf:

ucredit = -1

Here -1 is the minimum credit for having uppercase characters in password.

 

Requirement 5. Set limit to number of Lower Case characters in password

Minimum number of lower case letters (lcredit=N)

(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.

Insert the following option in /etc/security/pwquality.conf:

lcredit = 1

Here 1 is the maximum credit for having lowercase characters in password

 

Requirement 6. Set limit to number of Other characters in password

Minimum number of non-alphanumeric characters (ocredit=N)

(N >= 0) This is the maximum credit for having other characters in the new password. If password has less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.

Insert the following option in /etc/security/pwquality.conf:

ocredit = 1

Here 1 is the maximum credit for having other characters in password

  1. Credit Value > 0 : Maximum credit for having respective characters in the new password.
  2. Credit Value < 0 : Minimum mandatory credit required for having respective characters in the new password.
  3. Credit Value = 0 : No mandatory requirement for having the respective character class in the new password.

 

Requirement 7. Set maximum number of allowed consecutive same characters in the new password

Minimum number of required character classes in new password

Insert the following option in /etc/security/pwquality.conf:

minclass = 1

 

Requirement 8. Enforce root for password complexity

Insert the following option in /etc/security/pwquality.conf:

enforce_for_root

 

Lastly I hope the steps from the article to implement password policy in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

12 thoughts on “How to implement password policy in RHEL Linux with examples”

  1. Dear, very good article, but I have a doubt, there is some policy that is implemented so that the first users request a password change at the first entry to the server.

    Reply
  2. I have added the enforce_for_root in system-auth & password-auth then root password was not bypassed yet I tried to remove them still the same that root password can’t be bypassed .

    Do we need to restart any service or reboot the machine after reverting back.

    Reply
  3. I have a question with How to “Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)”

    Example.

    password sufficient pam_unix.so remember=5     

    and other website setting as below

    password    requisite     pam_pwhistory.so remember=5 use_authtok

    I would like to know the comparison between sufficient and requisite, i concern affect production server, could you please clear my question. thank you very much

    Reply
  4. Hi, I have read your post with big interest.
    But I don’t find how to implement password != login.
    Could you explain how to prevent this type of password with pam policy ?
    Thanks for all this great job !

    Reply
    • Hi Greg,
      Do you mean we create a certain list of password which a user should not be allowed to use while changing their password?

      Regards
      Deepak

      Reply

Leave a Comment