Set a Good Password Policy On SuSE Linux

Posted by Planet Malaysia on September 19, 2008

advertisement

Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.

Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.

The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.

Here you go: SuSE Linux Password Policy.

Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils

/etc/pam.d/passwd
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so     per_user deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so

/etc/pam.d/sshd

auth     required   pam_listfile.so  item=user sense=deny file=/etc/login.deny
auth     required   pam_tally.so     onerr=fail no_magic_root
auth     required   pam_unix2.so
auth     required   pam_nologin.so
auth     required   pam_env.so
account  required   pam_unix2.so
account  required   pam_nologin.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/login

auth     requisite  pam_unix2.so     nullok
auth     required   pam_securetty.so
auth     required   pam_nologin.so
auth     required   pam_env.so
auth     required   pam_mail.so
auth     required   pam_tally.so     onerr=fail no_magic_root
account  required   pam_unix2.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/su

auth     sufficient pam_rootok.so
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so deny=5 no_magic_root reset
password required   pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so  nullok
password required   pam_unix2.so    nullok use_first_pass use_authtok
session  required   pam_unix2.so    debug

PASSWDQC
retry = the number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time
ask_oldauthok = ask for the old password
check_oldauthtok = this tells pam_passwdqc to validate the old password before giving a new password prompt
max = the maximum allowed password length
min = N0,N1,N2,N3,N4

N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters which could not be classified, but are assumed to be non-digits.

N1 is used for passwords consisting of characters from two character classes which do not meet the requirements for a passphrase.

N2 is used for passphrases. A passphrase must consist of sufficient words (see the passphrase option below).

N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.

min=disabled,8,8,8,8 means
N0 = disable N0
N1 = 8 characters from two character classes
N2 = 8 passphase sufficient word
N3/N4 = 8 characters from three and four character classe

/etc/security/pam_pwcheck.conf

password:      minlen=8 nullok md5 remember=3

minlen = the minimum number of characters in an acceptable password
nullok = normally the account is disabled if no password is set or if the length of the password is zero
md5 = encryption with the MD5 function
remember = remember the last XX number of passwords and don’t allow the user to use it again for the next XX password changes

So a valid password as above should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used.

4 classes:
Upper case letters
Lower case letters
Digits
Other character

Enjoy! SuSE Linux Password Policy.

Possibly Related Posts:


Comments

6 Responses to “Set a Good Password Policy On SuSE Linux”

  1. mike on October 16th, 2008 11:21 pm

    Cool. Thanks for sharing and I will try as suggest by you.

  2. Peter on December 10th, 2008 7:58 pm

    This is something I need to implement on my SLES server with LDAP authentication.
    I’m using password policy overlay at present, but this does not allow to specify upper/lower case, etc restrictions.

  3. andy on December 31st, 2008 11:14 am

    Thanks for the information, some useful information here. I am putting together a guide on this topic for my work/blog and the information here is useful

  4. yudi on February 4th, 2009 8:57 am

    Halloo..
    i’ve tried information above but there is still no change, i’m still can input password less than 8 character, but if i set the password less than 5 character the message show up that cannot change password less than 5 character,i don’t know why,the only thing i’m sure i have never setting minimum password length 5 character…..anybody have a clue please…

  5. Karthik on June 29th, 2010 3:34 pm

    Hi,

    I need a password with minimum length of 6 and maximum of 8 and it shoudld contains all the combinations of letters and digits & symbols

    Example

    in@D2Aa

    Could you please suggest how to make this with pam_passwdqc

    any help will be appreciated ..

  6. Retention Logs - SuSE 10 SP2 on October 9th, 2010 5:12 am

    [...] For password policies maybe this will do the trick? http://www.planetmy.com/blog/set-a-g…licy-on-linux/ Hope it [...]

Leave a Reply




Planet Malaysia

  • Follow us on Twitter


  • web www.planetmy.com