Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.
Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.
The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.
Here you go: SuSE Linux Password Policy.
Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils
/etc/pam.d/passwd
auth required pam_unix2.so nullok
account required pam_unix2.so
account required pam_tally.so per_user deny=5 no_magic_root reset
password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
min=disabled,8,8,8,8 max=25
password required pam_pwcheck.so use_first_pass use_authtok
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so
/etc/pam.d/sshd
auth required pam_listfile.so item=user sense=deny file=/etc/login.deny
auth required pam_tally.so onerr=fail no_magic_root
auth required pam_unix2.so
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
account required pam_tally.so deny=5 no_magic_root reset
password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
min=disabled,8,8,8,8 max=25
password required pam_pwcheck.so use_first_pass use_authtok
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
/etc/pam.d/login
auth requisite pam_unix2.so nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
auth required pam_tally.so onerr=fail no_magic_root
account required pam_unix2.so
account required pam_tally.so deny=5 no_magic_root reset
password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
min=disabled,8,8,8,8 max=25
password required pam_pwcheck.so use_first_pass use_authtok
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
/etc/pam.d/su
auth sufficient pam_rootok.so
auth required pam_unix2.so nullok
account required pam_unix2.so
account required pam_tally.so deny=5 no_magic_root reset
password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
min=disabled,8,8,8,8 max=25
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
session required pam_unix2.so debug
Read the rest of this entry »
Possibly Related Posts: