Set a Good Password Policy On SuSE Linux
Tags: Linux, md5, passwdqc, Password, SLES, SUSE
Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.
Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.
The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.
Here you go: SuSE Linux Password Policy.
Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils
/etc/pam.d/passwd auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so per_user deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so
/etc/pam.d/sshd
auth required pam_listfile.so item=user sense=deny file=/etc/login.deny auth required pam_tally.so onerr=fail no_magic_root auth required pam_unix2.so auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/login
auth requisite pam_unix2.so nullok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so auth required pam_tally.so onerr=fail no_magic_root account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/su
auth sufficient pam_rootok.so auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so debug
PASSWDQC
retry = the number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time
ask_oldauthok = ask for the old password
check_oldauthtok = this tells pam_passwdqc to validate the old password before giving a new password prompt
max = the maximum allowed password length
min = N0,N1,N2,N3,N4
N0 is used for passwords consisting of characters from one character class only. The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters which could not be classified, but are assumed to be non-digits.
N1 is used for passwords consisting of characters from two character classes which do not meet the requirements for a passphrase.
N2 is used for passphrases. A passphrase must consist of sufficient words (see the passphrase option below).
N3 and N4 are used for passwords consisting of characters from three and four character classes, respectively.
min=disabled,8,8,8,8 means
N0 = disable N0
N1 = 8 characters from two character classes
N2 = 8 passphase sufficient word
N3/N4 = 8 characters from three and four character classe
/etc/security/pam_pwcheck.conf
password: minlen=8 nullok md5 remember=3
minlen = the minimum number of characters in an acceptable password
nullok = normally the account is disabled if no password is set or if the length of the password is zero
md5 = encryption with the MD5 function
remember = remember the last XX number of passwords and don’t allow the user to use it again for the next XX password changes
So a valid password as above should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used.
4 classes:
Upper case letters
Lower case letters
Digits
Other character
Enjoy! SuSE Linux Password Policy.
Possibly Related Posts:
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
- Setup a Linux Highly Availability NFS servers
- How to find empty folders on Linux

October 16th, 2008 at 11:21 pm
Cool. Thanks for sharing and I will try as suggest by you.