User management is one of the important task of Linux system administration.There are many aspect involved in this and implementing the strong password policy is one among them.
Navigate to the following URL, if you would like to generate a strong password on Linux.
It will Restrict unauthorized access to systems.
By default Linux is secure that everybody know. however, we need to make necessary tweak on this to make it more secure.
Insecure password will leads to breach security. So, take additional care on this.
Navigate to the following URL, if you would like to see the password strength and score of the generated strong password.
In this article, we will show you how to implement the best security policy on Linux.
We can use PAM (the “pluggable authentication module”) to enforce password policy on most Linux systems.
The file can be found in the following location.
- Redhat based systems @
/etc/pam.d/system-auth - Debian based systems @
/etc/pam.d/common-password.
The default password aging details can be found in the /etc/login.defs file.
I have trimmed this file for better understanding.
# vi /etc/login.defs PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
Details:
PASS_MAX_DAYS:Maximum number of days a password may be used.PASS_MIN_DAYS:Minimum number of days allowed between password changes.PASS_MIN_LEN:Minimum acceptable password length.PASS_WARN_AGE:Number of days warning given before a password expires.
We will show you, how to implement the below eleven password policies in Linux.
- Password Max days
- Password Min days
- Password warning days
- Password history or Deny Re-Used Passwords
- Password minimum length
- Minimum upper case characters
- Minimum lower case characters
- Minimum digits in password
- Minimum other characters (Symbols)
- Account lock – retries
- Account unlock time
What Is Password Max days?
This parameter limits the maximum number of days a password can be used. It’s mandatory for user to change his/her account password before expiry.
If they forget to change, they are not allowed to login into the system. They need to work with admin team to get rid of it.
It can be set in /etc/login.defs file. Here I’m going to set it for 90 days.
# vi /etc/login.defs PASS_MAX_DAYS 90
What Is Password Min days?
This parameter limits the minimum number of days after password can be changed.
Say for example, if this parameter is set to 15 and user changed password today. Then he won’t be able to change the password again before 15 days from now.
It can be set in /etc/login.defs file. Here I’m going to set it for15 days.
# vi /etc/login.defs PASS_MIN_DAYS 15
What Is Password Warning Days?
This parameter controls the password warning days and it will warn the user when the password is going to expires.
A warning will be given to the user regularly until the warning days ends. This helps user to change their password before expiry. Otherwise we need to work with admin team for unlock the password.
It can be set in /etc/login.defs file. Here I’m going to set it for10 days.
# vi /etc/login.defs PASS_WARN_AGE 10
Note: All the above parameters are applicable only for new accounts and not for existing accounts.
What Is Password History Or Deny Re-Used Passwords?
This parameter keep controls of the password history. Keep history of passwords used (the number of previous passwords which cannot be reused).
When the users try to set a new password, it will check the password history and warn the user when they use the same old password.
It can be set in /etc/pam.d/system-auth file. Here I’m going to set it as 5 for history of password.
# vi /etc/pam.d/system-auth
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
What Is Password Minimum Length?
This parameter keeps the minimum password length condition. When the users set a new password, it will check against this parameter and warn the user if they try to set the password length less than that.
It can be set in /etc/pam.d/system-auth file. Here I’m going to set it for12 character for minimum password length.
# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12
try_first_pass retry=3 : Allow users to set a good password before the passwd command aborts.
Set Minimum Upper Case Characters?
This parameter keeps, how many minimum upper case characters should be added in the password. These are password strengthening parameters ,which increase the password strength.
When the users set a new password, it will check against this parameter and warn the user if they are not including any upper case characters in the password.
It can be set in /etc/pam.d/system-auth file.Here I’m going to set it for 1 character for minimum password length.
# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 ucredit=-1
Set Minimum Lower Case Characters?
This parameter keeps, how many lower case characters should be added in the password. These are password strengthening parameters ,which increase the password strength.
When the users set a new password, it will check against this parameter and warn the user if they are not including any lower case characters in the password.
It can be set in /etc/pam.d/system-auth file.Here I’m going to set it for 1 character.
# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-1
Set Minimum Digits In Password?
This parameter keeps, how many digits should be added in the password. These are password strengthening parameters ,which increase the password strength.
When the users set a new password, it will check against this parameter and warn the user if they are not including any digits in the password.
It can be set in /etc/pam.d/system-auth file. Here I’m going to set it for1 character.
# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1
Set Minimum Other Characters (Symbols) In Password?
This parameter keeps, how many special characters should be added in the password. These are password strengthening parameters ,which increase the password strength.
When the users set a new password, it will check against this parameter and warn the user if they are not including any Symbol in the password.
It can be set in /etc/pam.d/system-auth file. Here I’m going to set it for1 character.
# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 ocredit=-1
Set Account Lock?
This parameter controls users failed attempts. It locks user account after reaches the given number of failed login attempts.
It can be set in /etc/pam.d/system-auth file.
# vi /etc/pam.d/system-auth
auth required pam_tally2.so onerr=fail audit silent deny=5
account required pam_tally2.so
Set Account Unlock Time?
This parameter keeps users unlock time. If the user account is locked after consecutive failed authentications.
It’s unlock the locked user account after reaches the given time. Sets the time (900 seconds = 15 minutes) for which the account should remain locked.
It can be set in /etc/pam.d/system-auth file.
# vi /etc/pam.d/system-auth
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900
account required pam_tally2.so
