Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    How To Set Password Policy On A CentOS

    Uploaded by

    Binh Vu

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd

    How To Set Password Policy On A CentOS

    Uploaded by

    Binh Vu
    26 views4 pages

    Original Title

    How To Set Password Policy on a CentOS

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    26 views4 pages

    How To Set Password Policy On A CentOS

    Uploaded by

    Binh Vu

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 4

    How To Set Password Policy on a CentOS

    Password policy usually defines:


    Password Aging
    Password Length
    Password Complexity
    Number of Login Failures
    Number of Re-Used Password to Deny

    1: Configuring /etc/login.defs — Aging and Length


    PASS_MAX_DAYS - Maximum number of days a password may be used.
    PASS_MIN_DAYS - Minimum number of days allowed between password changes.
    PASS_MIN_LEN - Minimum acceptable password length.
    PASS_WARN_AGE - Number of days warning given before a password expires.
    # /etc/login.defs
    PASS_MAX_DAYS 90
    PASS_MIN_DAYS 1
    PASS_MIN_LEN 8
    PASS_WARN_AGE 5

    2: Configuring /etc/pam.d/system-auth — Complexity and Re-Used Passwords


    Force Capital Characters In Passwords - ucredit=-X, where X is the number of
    capital characters required in password
    Force Lower Case Characters In Passwords - lcredit=-X, where X is the number of
    lower case characters required in password
    Force Numbers In Passwords - dcredit=-X, where X is the number numbers required in
    password
    Force The Use Of Symbols In Passwords - ocredit=-X, where X is the number of
    symbols required in password
    Deny Re-Used Passwords - remember=X, where X is the number of past passwords to
    deny
    # /etc/pam.d/system-auth-ac
    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth required pam_faillock.so preauth silent audit deny=5
    unlock_time=1800
    auth sufficient pam_unix.so nullok try_first_pass
    auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=1800
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth required pam_deny.so

    account required pam_unix.so


    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account required pam_permit.so
    account required pam_faillock.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3


    authtok_type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    use_authtok remember=3
    password required pam_deny.so

    session optional pam_keyinit.so revoke


    session required pam_limits.so
    -session optional pam_systemd.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
    use_uid
    session required pam_unix.so

    3: Configuring /etc/pam.d/password-auth — Login Failures


    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth required pam_faillock.so preauth silent audit deny=5
    unlock_time=1800
    auth sufficient pam_unix.so nullok try_first_pass
    auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=1800
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth required pam_deny.so

    account required pam_unix.so


    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account required pam_permit.so
    account required pam_faillock.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3


    authtok_type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass
    use_authtok remember=3
    password required pam_deny.so

    session optional pam_keyinit.so revoke


    session required pam_limits.so
    -session optional pam_systemd.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
    use_uid
    session required pam_unix.so

    ================================CentOS6============================================
    Step 1: Configuring /etc/login.defs — Aging and Length
    Password aging controls and password length are defined in /etc/login.defs file.
    Password aging refers to the maximum number of days password may be used, minimum
    number of days allowed between password changes,
    and number of warning days before the password expires. Password length refers to
    the number of characters needed to have for the password
    to be allowed. To configure password aging controls and password length, edit
    /etc/login.defs file and set PASS values according to your company
    password policy.
    The password aging controls and password length do not affect existing users, they
    only affect newly created users!
    PASS_MAX_DAYS - Maximum number of days a password may be used.
    PASS_MIN_DAYS - Minimum number of days allowed between password changes.
    PASS_MIN_LEN - Minimum acceptable password length.
    PASS_WARN_AGE - Number of days warning given before a password expires.

    Example configuration file /etc/login.defs:


    # Password aging controls:
    #
    # PASS_MAX_DAYS Maximum number of days a password may be used.
    # PASS_MIN_DAYS Minimum number of days allowed between password changes.
    # PASS_MIN_LEN Minimum acceptable password length.
    # PASS_WARN_AGE Number of days warning given before a password expires.
    #
    PASS_MAX_DAYS 90
    PASS_MIN_DAYS 2
    PASS_MIN_LEN 9
    PASS_WARN_AGE 14

    Step 2: Configuring /etc/pam.d/system-auth — Complexity and Re-Used Passwords


    By editing /etc/pam.d/system-auth configuration file, we can configure the password
    complexity and number of re-used passwords to deny.
    Password complexity refers to the complexity of the characters used in the password
    and number of re-used passwords to deny refers to
    denying the desired number of passwords the user used in the past. By setting
    password complexity, we can force a user to use the desired
    number of capital characters, lower case characters, numbers and symbols in a
    password. If the password complexity standards are not satisfied,
    the password will not be accepted by the system.

    Force Capital Characters In Passwords - ucredit=-X, where X is the number of


    capital characters required in password
    Force Lower Case Characters In Passwords - lcredit=-X, where X is the number of
    lower case characters required in password
    Force Numbers In Passwords - dcredit=-X, where X is the number numbers required in
    password
    Force The Use Of Symbols In Passwords - ocredit=-X, where X is the number of
    symbols required in password
    Deny Re-Used Passwords - remember=X, where X is the number of past passwords to
    deny

    Example configuration file /etc/pam.d/system-auth:

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    account required pam_unix.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so
    password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-2
    ucredit=-2 lcredit=-2 ocredit=-2
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    remember=5
    password required pam_deny.so

    session optional pam_keyinit.so revoke


    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

    Step 3: Configuring /etc/pam.d/password-auth — Login Failures


    The number of login failures is set in /etc/pam.d/password-auth file. Number of
    login failures refers to the number of failed logins
    a user can make before his account is locked out. When the account is locked out, a
    system administrator can unlock the account.
    To configure the number of login failures, two new lines need to be added to
    /etc/pam.d/password-auth file. The parameter "deny=X"
    (where X is the number of login failures) configures the number of login failures
    permitted before the account is locked.

    Example configuration file /etc/pam.d/system-auth:


    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth required pam_tally2.so deny=3
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    account required pam_unix.so
    account required pam_tally2.so
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so
    password requisite pam_cracklib.so try_first_pass retry=3 type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password required pam_deny.so
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

    You might also like