In this article we will implement password policy with the certain list of requirements on our CentOS/RHEL 7 Linux node. These requirements are covered in separate heading title. In RHEL/CentOS 7 we can implement password policy using pwquality.conf, but you can also continue to use system-auth
and password-auth
inside /etc/pam.d
but with pwquality.conf
the steps to implement password policy is comparatively simpler.
Implement Password Policy
With RHEL 7 we can implement password policy via /etc/security/pwquality.conf
where pwquality.conf
is the configuration for the libpwquality library. It provides a way to configure the default password quality requirements for the system passwords. This file is read by the libpwquality library and utilities that use this library for checking and generating passwords. The file has a very simple name = value
format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the =
sign is ignored.
Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)
Insert the following in /etc/pam.d/system-auth
and /etc/pam.d/password-auth
(after pam_pwquality.so
line):
password requisite pam_pwhistory.so remember=5 use_authtok
For more information follow How to prevent user from using old password (or re-using) again in Linux
Requirement 2. Password size (Minimum acceptable size for the new password).
Insert the following option in /etc/security/pwquality.conf
:
minlen = 9
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other,upper, lower and digit). The default for this parameter is 9 which is good for an old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system.
Cracklib
itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen
. If it is required to allow passwords as short as 5 characters this module shouldn't be used.
Requirement 3. Set limit to number of digits in password.
Minimum number of numeric characters (dcredit=N)
(N >= 0) This is the maximum credit for having digits in the new password. If password has less than or N digits, each digit will count +1 towards meeting the current minlen
value. The default for dcredit
is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf
:
dcredit = -1
Here -1 is the minimum credit for having required digits in password
Requirement 4. Set limit to number of Upper Case characters in password
Minimum number of upper case letters (ucredit=N)
(N >= 0) This is the maximum credit for having upper case letters in the new password. If password has less than or N upper case letters each letter will count +1 towards meeting the current minlen
value. The default for ucredit
is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf
:
ucredit = -1
Here -1 is the minimum credit for having uppercase characters in password.
Requirement 5. Set limit to number of Lower Case characters in password
Minimum number of lower case letters (lcredit=N)
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen
value. The default for lcredit
is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf
:
lcredit = 1
Here 1 is the maximum credit for having lowercase characters in password
Requirement 6. Set limit to number of Other characters in password
Minimum number of non-alphanumeric characters (ocredit=N)
(N >= 0) This is the maximum credit for having other characters in the new password. If password has less than or N other characters, each character will count +1 towards meeting the current minlen
value. The default for ocredit
is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf
:
ocredit = 1
Here 1 is the maximum credit for having other characters in password
- Credit Value > 0 : Maximum credit for having respective characters in the new password.
- Credit Value < 0 : Minimum mandatory credit required for having respective characters in the new password.
- Credit Value = 0 : No mandatory requirement for having the respective character class in the new password.
Requirement 7. Set maximum number of allowed consecutive same characters in the new password
Minimum number of required character classes in new password
Insert the following option in /etc/security/pwquality.conf
:
minclass = 1
Requirement 8. Enforce root for password complexity
Insert the following option in /etc/security/pwquality.conf
:
enforce_for_root
enforce_for_root
in /etc/pam.d/system-auth
and /etc/pam.d/password-auth
Lastly I hope the steps from the article to implement password policy in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Dear, very good article, but I have a doubt, there is some policy that is implemented so that the first users request a password change at the first entry to the server.
You can expire the user’s password after creating so next time they login, it will prompt for password change
I have added the enforce_for_root in system-auth & password-auth then root password was not bypassed yet I tried to remove them still the same that root password can’t be bypassed .
Do we need to restart any service or reboot the machine after reverting back.
No, modification in pam files do not require any thing to be restarted
Do you have any clue why still use enforce for root after removing it from the configuration
Can you share, how are you specifying this entry in both the auth files?
Ideally, it should be placed like this
I have a question with How to “Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)”
Example.
and other website setting as below
I would like to know the comparison between sufficient and requisite, i concern affect production server, could you please clear my question. thank you very much
You can check this article for details on different flags used in PAM
https://docs.oracle.com/cd/E19253-01/816-4557/pam-15/index.html
Hello,
Can chpasswd by pass these rules?
thanks
Using root user most rules are bypassed unless password restriction is applied to root user as well
Hi, I have read your post with big interest.
But I don’t find how to implement password != login.
Could you explain how to prevent this type of password with pam policy ?
Thanks for all this great job !
Hi Greg,
Do you mean we create a certain list of password which a user should not be allowed to use while changing their password?
Regards
Deepak