Set Password Rules2013/05/29 |
|
Set Password Policy to let users Comply rules.
|
|
| [1] | Install cracklib module first. |
|
root@dlp:~# aptitude -y install libpam-cracklib
|
| [2] | Set number of days for password Expiration. Users must change their password within the days. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -M (days) (user)". |
|
root@dlp:~#
vi /etc/login.defs # line 155: set 60 for Password Expiration PASS_MAX_DAYS 60
|
| [3] | Set Minimum number of days available of password. Users must use their password at least this days after changing it. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -m (days) (user)". |
|
root@dlp:~#
vi /etc/login.defs # line 156: set 2 for Minimum number of days available PASS_MIN_DAYS 2
|
| [4] | Set number of days for warnings before expiration. This setting impact only when creating a user, not impact to exisiting users. If set to exisiting users, run the command "chage -W (days) (user)". |
|
root@dlp:~#
vi /etc/login.defs # line 157: set 7 for number of days for warnings PASS_WARN_AGE 7
|
| [5] | Limit using a password that was used in past. Users can not set the same password within the generation. |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 26: prohibit to use the same password for 5 generation in past password [success=1 default=ignore] pam_unix.so obscure sha512 \
remember=5
|
| [6] | Set minimum password length. Users can not set thier password length less than set this parameter. ( minlen=N ) This setting linkages to other settings, so it need to set other settings like below. |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 25: set 8 for minimum password length password requisite pam_cracklib.so retry=3 \
minlen=8
|
| [7] | Set dcredit that forces users to include numbers in their password. ( dcredit=-N ) |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 25: require to include 2 numbers in users password password requisite pam_cracklib.so retry=3 minlen=8 \
dcredit=-2 ucredit=0 lcredit=0 ocredit=0
|
| [8] | Set ucredit that forces users to include Capital characters in their password. ( ucredit=-N ) |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 25: require to include 1 capital character password requisite pam_cracklib.so retry=3 minlen=8 \
dcredit=-2 ucredit=-1 lcredit=0 ocredit=0
|
| [9] | Set lcredit that forces users to include Lower cases in their password. ( lcredit=-N ) |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 25: require to include 1 Lower case password requisite pam_cracklib.so retry=3 minlen=8 \
minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=0
|
| [10] | Set ocredit that forces users to include Symbols in their password. ( ocredit=-N ) |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 25: require to include 1 Symbol password requisite pam_cracklib.so retry=3 minlen=8 \
dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1
|
| [11] | Set difok that forces more than N words in password before change are different from the one after change. ( difok=N ) |
|
root@dlp:~#
vi /etc/pam.d/common-password # near line 215: require at least 3 words are different from before change password requisite pam_cracklib.so retry=3 minlen=8 \
dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
|
| [12] | Set number of login failure. Users' account will be locked after failing to login without a break. |
|
root@dlp:~#
vi /etc/pam.d/common-auth # near line 15: add follwos (this example sets login failure for 5 times. ( deny=5 ) ) auth required pam_tally2.so deny=2
root@dlp:~#
vi /etc/pam.d/common-account # near line 15: add follwos account required pam_tally2.so # make sure the number of failure of login about a user root@dlp:~# pam_tally2 -u fedora Login Failures Latest failure From fedora 3 05/30/13 15:44:30 # unlock a locked user root@dlp:~# pam_tally2 -r -u fedora |