Set a Good Password Policy On SuSE Linux

Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.

Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.

The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.

Here you go: SuSE Linux Password Policy.

Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils

/etc/pam.d/passwd
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so     per_user deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so

/etc/pam.d/sshd

auth     required   pam_listfile.so  item=user sense=deny file=/etc/login.deny
auth     required   pam_tally.so     onerr=fail no_magic_root
auth     required   pam_unix2.so
auth     required   pam_nologin.so
auth     required   pam_env.so
account  required   pam_unix2.so
account  required   pam_nologin.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/login

auth     requisite  pam_unix2.so     nullok
auth     required   pam_securetty.so
auth     required   pam_nologin.so
auth     required   pam_env.so
auth     required   pam_mail.so
auth     required   pam_tally.so     onerr=fail no_magic_root
account  required   pam_unix2.so
account  required   pam_tally.so     deny=5 no_magic_root reset
password required   pam_passwdqc.so  retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so   use_first_pass use_authtok
password required   pam_unix2.so     use_first_pass use_authtok
session  required   pam_unix2.so     none
session  required   pam_limits.so

/etc/pam.d/su

auth     sufficient pam_rootok.so
auth     required   pam_unix2.so     nullok
account  required   pam_unix2.so
account  required   pam_tally.so deny=5 no_magic_root reset
password required   pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok
  min=disabled,8,8,8,8 max=25
password required   pam_pwcheck.so  nullok
password required   pam_unix2.so    nullok use_first_pass use_authtok
session  required   pam_unix2.so    debug

Read more

Possibly Related Posts:


September 19, 2008 · Filed Under How's To, Open Source, Tips

6 Comments 

Planet Malaysia
  • Follow us on Twitter


    • web www.planetmy.com