Set Password Rules2020/09/07 |
|
Set Password Rules with [pam_pwquality] module.
|
|
| [1] | Install password quality checking library. |
|
root@dlp:~# apt -y install libpam-pwquality
|
| [2] | Set number of days for password Expiration. Users must change their password within the days. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -M (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 160: set password Expiration days (example below means 60 days) PASS_MAX_DAYS 60
|
| [3] | Set minimum number of days available of password. Users must use their password at least this days after changing it. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -m (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 161: minimum number of days available (example below means 1 day) PASS_MIN_DAYS 1
|
| [4] | Set number of days for warnings before expiration. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -W (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 162: set number of days for warnings (example below means 7 day) PASS_WARN_AGE 7
|
| [5] | Limit using a password that was used in past. Users can not set the same password within the generation. |
|
root@dlp:~#
vi /etc/pam.d/common-password # line 26: add [remember=*] (example below means 5 gen)
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
|
| [6] | Set minimum password length. Users can not set thier password length less than this parameter. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 11: uncomment and set minimum length (example below means 8 char) minlen = 8
|
| [7] | Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others) |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 34: uncomment and set parameter (example below means 2 kinds) minclass = 2
|
| [8] | Set maximum number of allowed consecutive same characters in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 38: uncomment and set parameter (example below means 2 char) maxrepeat = 2
|
| [9] | Set maximum number of allowed consecutive characters of the same class in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 43: uncomment and set parameter (example below means 4 kinds) maxclassrepeat = 4
|
| [10] | Require at least one lowercase character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 25: uncomment and set parameter (example below means 1 char) lcredit = -1
|
| [11] | Require at least one uppercase character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 20: uncomment and set parameter (example below means 1 char) ucredit = -1
|
| [12] | Require at least one digit in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 15: uncomment and set parameter (example below means 1 char) dcredit = -1
|
| [13] | Require at least one other character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 30: uncomment and set parameter (example below means 1 char) ocredit = -1
|
| [14] | Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb') |
|
root@dlp:~#
vi /etc/security/pwquality.conf # add to the end (example below means 2 characters are allowed but more than 3 characters are not allowed)
maxsequence = 2
|
| [15] | Set number of characters in the new password that must not be present in the old password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 6: uncomment and set parameter (example below means 5 char) difok = 5
|
| [16] | Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 47: uncomment and change to enabled gecoscheck = 1
|
| [17] | Set space separated list of words that must not be contained in the password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # add to the end
badwords = denywords1 denywords2 denywords3
|