Set a Good Password Policy On SuSE Linux
Posted by Planet Malaysia on September 19, 2008
Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.
Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.
The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.
Here you go: SuSE Linux Password Policy.
Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils
/etc/pam.d/passwd auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so per_user deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so
/etc/pam.d/sshd
auth required pam_listfile.so item=user sense=deny file=/etc/login.deny auth required pam_tally.so onerr=fail no_magic_root auth required pam_unix2.so auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/login
auth requisite pam_unix2.so nullok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so auth required pam_tally.so onerr=fail no_magic_root account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/su
auth sufficient pam_rootok.so auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so debug
PASSWDQC
retry = the number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time
ask_oldauthok = ask for the old password
check_oldauthtok = this tells pam_passwdqc to validate the old password before giving a new password prompt
max = the maximum allowed password length
min = N0,N1,N2,N3,N4
N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters which could not be classified, but are assumed to be non-digits.
N1 is used for passwords consisting of characters from two character classes which do not meet the requirements for a passphrase.
N2 is used for passphrases. A passphrase must consist of sufficient words (see the passphrase option below).
N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.
min=disabled,8,8,8,8 means
N0 = disable N0
N1 = 8 characters from two character classes
N2 = 8 passphase sufficient word
N3/N4 = 8 characters from three and four character classe
/etc/security/pam_pwcheck.conf
password: minlen=8 nullok md5 remember=3
minlen = the minimum number of characters in an acceptable password
nullok = normally the account is disabled if no password is set or if the length of the password is zero
md5 = encryption with the MD5 function
remember = remember the last XX number of passwords and don’t allow the user to use it again for the next XX password changes
So a valid password as above should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used.
4 classes:
Upper case letters
Lower case letters
Digits
Other character
Enjoy! SuSE Linux Password Policy.
Possibly Related Posts:
- Google Public DNS Down?
- lppasswd: Unable to open passwd file: Permission denied
- Missing /var/log/lastlog
- Telnet service_limit error
- Google accounts on Twitter
Comments
4 Responses to “Set a Good Password Policy On SuSE Linux”
Leave a Reply
Cool. Thanks for sharing and I will try as suggest by you.
This is something I need to implement on my SLES server with LDAP authentication.
I’m using password policy overlay at present, but this does not allow to specify upper/lower case, etc restrictions.
Thanks for the information, some useful information here. I am putting together a guide on this topic for my work/blog and the information here is useful
Halloo..
i’ve tried information above but there is still no change, i’m still can input password less than 8 character, but if i set the password less than 5 character the message show up that cannot change password less than 5 character,i don’t know why,the only thing i’m sure i have never setting minimum password length 5 character…..anybody have a clue please…