Planet Malaysia Blog

Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.

Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.

The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.

Here you go: SuSE Linux Password Policy.

Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils

/etc/pam.d/passwd
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so     per_user deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so

/etc/pam.d/sshd

auth     required   pam_listfile.so  item=user sense=deny file=/etc/login.deny
auth     required   pam_tally.so     onerr=fail no_magic_root
auth     required   pam_unix2.so
auth     required   pam_nologin.so
auth     required   pam_env.so
account  required   pam_unix2.so
account  required   pam_nologin.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/login

auth     requisite  pam_unix2.so     nullok
auth     required   pam_securetty.so
auth     required   pam_nologin.so
auth     required   pam_env.so
auth     required   pam_mail.so
auth     required   pam_tally.so     onerr=fail no_magic_root
account  required   pam_unix2.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/su

auth     sufficient pam_rootok.so
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so deny=5 no_magic_root reset
password required   pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so  nullok
password required   pam_unix2.so    nullok use_first_pass use_authtok
session  required   pam_unix2.so    debug

PASSWDQC
retry = the number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time
ask_oldauthok = ask for the old password
check_oldauthtok = this tells pam_passwdqc to validate the old password before giving a new password prompt
max = the maximum allowed password length
min = N0,N1,N2,N3,N4

N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters which could not be classified, but are assumed to be non-digits.

N1 is used for passwords consisting of characters from two character classes which do not meet the requirements for a passphrase.

N2 is used for passphrases. A passphrase must consist of sufficient words (see the passphrase option below).

N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.

min=disabled,8,8,8,8 means
N0 = disable N0
N1 = 8 characters from two character classes
N2 = 8 passphase sufficient word
N3/N4 = 8 characters from three and four character classe

/etc/security/pam_pwcheck.conf

password:      minlen=8 nullok md5 remember=3

minlen = the minimum number of characters in an acceptable password
nullok = normally the account is disabled if no password is set or if the length of the password is zero
md5 = encryption with the MD5 function
remember = remember the last XX number of passwords and don’t allow the user to use it again for the next XX password changes

So a valid password as above should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used.

4 classes:
Upper case letters
Lower case letters
Digits
Other character

Enjoy! SuSE Linux Password Policy.

Possibly Related Posts:

• RSS Feed Submissions
• Geo Positions
• Interesting about Google Suggest
• Setup a Linux Highly Availability NFS servers
• How to find empty folders on Linux