Pwquality : Set Password Rules2021/03/08 |
|
Set Password Rules with [pam_pwquality] module.
[pam_pwquality] is installed by default on RHEL 8/CentOS Stream 8 even minimum installation, but if it has not been installed, run [# dnf install libpwquality] to install it.
|
|
| [1] | Set number of days for password Expiration. Users must change their password within the days. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -M (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 39 : set password Expiration days (example below means 60 days) PASS_MAX_DAYS 60
|
| [2] | Set minimum number of days available of password. Users must use their password at least this days after changing it. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -m (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 40 : minimum number of days available (example below means 1 day) PASS_MIN_DAYS 1
|
| [3] | Set number of days for warnings before expiration. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -W (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 42 : set number of days for warnings (example below means 7 day) PASS_WARN_AGE 7
|
| [4] | Limit using a password that was used in past. Users can not set the same password within the generation. |
|
[root@dlp ~]#
vi /etc/pam.d/system-auth # line 21 : add [remember=*] (example below means 5 gen)
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
|
| [5] | Set minimum password length. Users can not set thier password length less than this parameter. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 11 : uncomment and set minimum length (example below means 8 char) minlen = 8
|
| [6] | Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others) |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 34 : uncomment and set parameter (example below means 2 kinds) minclass = 2
|
| [7] | Set maximum number of allowed consecutive same characters in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 38 : uncomment and set parameter (example below means 2 char) maxrepeat = 2
|
| [8] | Set maximum number of allowed consecutive characters of the same class in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 43 : uncomment and set parameter (example below means 4 kinds) maxclassrepeat = 4
|
| [9] | Require at least one lowercase character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 25 : uncomment and set parameter (example below means 1 char) lcredit = -1
|
| [10] | Require at least one uppercase character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 20 : uncomment and set parameter (example below means 1 char) ucredit = -1
|
| [11] | Require at least one digit in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 15 : uncomment and set parameter (example below means 1 char) dcredit = -1
|
| [12] | Require at least one other character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 30 : uncomment and set parameter (example below means 1 char) ocredit = -1
|
| [13] | Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb') |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # add to the end (example below means 2 characters are allowed but more than 3 characters are not allowed)
maxsequence = 2
|
| [14] | Set number of characters in the new password that must not be present in the old password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 6 : uncomment and set parameter (example below means 5 char) difok = 5
|
| [15] | Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 47 : uncomment and change to enabled gecoscheck = 1
|
| [16] | Set space separated list of words that must not be contained in the password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # add to the end
badwords = denywords1 denywords2 denywords3
|
| Sponsored Link |