Pwquality : Set Password Rules2022/06/28 |
|
Set Password Rules with [pam_pwquality] module.
[pam_pwquality] is installed by default on RHEL 9/CentOS Stream 9 even minimum installation,
but if it has not been installed, run [# dnf install libpwquality] to install it. |
|
| [1] | Set number of days for password Expiration. Users must change their password within the days. This setting impacts only when creating a user, not impacts to existing users. If set to existing users, run the command [chage -M (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 131 : set password Expiration days (example below means 60 days) PASS_MAX_DAYS 60
|
| [2] | Set minimum number of days available of password. Users must use their password at least this days after changing it. This setting impacts only when creating a user, not impacts to existing users. If set to existing users, run the command [chage -m (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 132 : minimum number of days available (example below means 1 day) PASS_MIN_DAYS 1
|
| [3] | Set number of days for warnings before expiration. This setting impacts only when creating a user, not impacts to existing users. If set to existing users, run the command [chage -W (days) (user)]. |
|
[root@dlp ~]#
vi /etc/login.defs # line 133 : set number of days for warnings (example below means 7 day) PASS_WARN_AGE 7
|
| [4] | Limit using a password that was used in past. Users can not set the same password within the generation. |
|
# create a custom policy [root@dlp ~]# authselect current Profile ID: sssd Enabled features: - with-fingerprint - with-silent-lastlog[root@dlp ~]# authselect create-profile password-policy -b sssd [root@dlp ~]# authselect select custom/password-policy [root@dlp ~]# authselect current Profile ID: custom/password-policy Enabled features: None
[root@dlp ~]#
authselect apply-changes
[root@dlp ~]#
vi /etc/authselect/custom/password-policy/system-auth # insert the line under the [pam_pwquality.so] line in [password] section
password requisite pam_pwquality.so local_users_only
password requisite pam_pwhistory.so remember=5 use_authtok
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
# insert the same line in [password-auth] file [root@dlp ~]# vi /etc/authselect/custom/password-policy/password-auth
password requisite pam_pwquality.so local_users_only
password requisite pam_pwhistory.so remember=5 use_authtok
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
[root@dlp ~]# authselect apply-changes
|
| [5] | Set minimum password length. Users can not set thier password length less than this parameter. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 11 : uncomment and set minimum length (example below means 8 char) minlen = 8
|
| [6] | Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others) |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 34 : uncomment and set parameter (example below means 2 kinds) minclass = 2
|
| [7] | Set maximum number of allowed consecutive same characters in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 38 : uncomment and set parameter (example below means 2 char) maxrepeat = 2
|
| [8] | Set maximum number of allowed consecutive characters of the same class in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 43 : uncomment and set parameter (example below means 4 kinds) maxclassrepeat = 4
|
| [9] | Require at least one lowercase character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 25 : uncomment and set parameter (example below means 1 char) lcredit = -1
|
| [10] | Require at least one uppercase character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 20 : uncomment and set parameter (example below means 1 char) ucredit = -1
|
| [11] | Require at least one digit in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 15 : uncomment and set parameter (example below means 1 char) dcredit = -1
|
| [12] | Require at least one other character in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 30 : uncomment and set parameter (example below means 1 char) ocredit = -1
|
| [13] | Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb') |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # add to the end (example below means 2 characters are allowed but more than 3 characters are not allowed)
maxsequence = 2
|
| [14] | Set number of characters in the new password that must not be present in the old password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 6 : uncomment and set parameter (example below means 5 char) difok = 5
|
| [15] | Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # line 47 : uncomment and change to enabled gecoscheck = 1
|
| [16] | Set space separated list of words that must not be contained in the password. |
|
[root@dlp ~]#
vi /etc/security/pwquality.conf # add to the end
badwords = denywords1 denywords2 denywords3
|
| Sponsored Link |