I recently had to enforce password complexity rules on our servers and had a tough time finding any solid information on the best way to accomplish this task. After some searching I found a piece of information here and there. I am posting this as a complete how to, hopefully someone will find it useful. This article outlines how to force password complexity for all normal users on a Red Hat Enterprise Linux 4 (RHEL 4), Red Hat Enterprise Linux 5 (RHEL 5) and Red Hat Enterprise Linux 6 (RHEL 6) systems.
John Moderates wrote in to say I should also make it known that this tutorial will also work for people running the following operating systems (and probably a few others as well):
Centos 4
Centos 5
Centos 6 (when released will be the same as RHEL6)
Fedora 8
Fedora 9
Fedora 10
Fedora 11
Fedora 12
Fedora 13
Fedora 14
What is password complexity?
Password complexity is a set of rules which define what set of characters and how many of each characters must be in a password.
What is a strong password?
For the most part this can be a very debatable discussion. Common thinking is a strong password would be comprised of AT LEAST 14 characters containing AT LEAST 1 capitalized alphabetic character, 1 lowercase alphabetic character, 1 digital, and 1 special character. * Passwords should also not be based on a dictionary word.
Why force password complexity?
Left to their own devices most users will create a password they can remember easily. Unfortunately this usually means they will create a password also easily guessed by someone else. I have heard of people even using the word "password" or "letmein". This poses real security concerns for a system and for user data. Below are the simple steps needed to set the password complexity in both RHEL 4 and RHEL 5 systems. In my opinion this small edit will go a long way in securing your system and your data.
ALWAYS BACK UP YOUR FILE FIRST!
Create a backup of the existing file:
cp /etc/pam.d/system-auth /root/system-auth
Edit the file /etc/pam.d/system-auth with your favorite editor (vim, nano, etc..)
Look for the line containing the pam_cracklib module like below:
In RHEL 5 and RHEL 6 it looks like this:
password requisite pam_cracklib.so try_first_pass
In RHEL 4 it looks like this: password requisite /lib/security/$ISA/pam_cracklib.so
We need to edit this line of the file and add the options we would like to enforce.
To enforce the password complexity that we spoke about in the beginning of this article we will change the line to:
In RHEL 5 and RHEL 6:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
In RHEL 4: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=14 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
After changing the file be sure to save it and your done. If you have existing users on your system and you want to make sure they are meeting the password requirements you can force them to change their password on the next login. To do this we need to lock the user account, expire their password, and unlock the user account. Here are the simple step to accomplish this.
(replace johndoe with the user on your system)
Lock the account:
usermod -L johndoe
Expire their current password:
chage -d 0 johndoe
Unlock the account:
usermod -U johndoe
Check the status of their password:
chage -l johndoe
Example output of chage -l if done correctly:
# chage -l johndoe
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Below is a list of options that I chose to use for my password requirements, For a full list of options click here.
retry=N
Prompt user at most N times before returning with error. The default is 1.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
reject_username
Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.
Great help - thanks for posting this.
ReplyDeleteGreat post. Thank you for taking time to share this info.... SOX rocks... not!
ReplyDelete