CentOS 5
Sponsored Link

Set Password Policy2010/05/05

  Set Password Policy to let users Comply rules.

[1] Set number of days for password Expiration. Users must change their password within the days.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -M (days) (user)".
[root@dlp ~]#
vi /etc/login.defs


# line 17: set 60 for Password Expiration

PASS_MAX_DAYS
60
[2] Set Minimum number of days available of password.
Users must use their password at least this days after changing it.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -m (days) (user)".
[root@dlp ~]#
vi /etc/login.defs


# line 18: set 2 for Minimum number of days available

PASS_MIN_DAYS
2
[3] Set number of days for warnings before expiration.
This setting impact only when creating a user, not impact to exisiting users.
If set to exisiting users, run the command "chage -W (days) (user)".
[root@dlp ~]#
vi /etc/login.defs


# line 20: set 7 for number of days for warnings

PASS_WARN_AGE
7
[4] Limit using password that was used in past.
Users can not set the same password within the generation.
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 14: prohibit to use the same password for 5 generation in past

password
sufficient
pam_unix.so md5 shadow nullok try_first_pass use_authtok \

 
remember=5
[5] Set minimum password length.
Users can not set thier password length less than set this parameter. ( minlen=N )
This setting linkages to other settings, so it need to set other settings like below.
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 13: set 8 for minimum password length

password
requisite
pam_cracklib.so try_first_pass retry=3 \

 
minlen=8 dcredit=0 ucredit=0 lcredit=0 ocredit=0
[6] In addition to the setting above, Set dcredit that forces users to include numbers in their password. ( dcredit=-N )
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 13: require to include 2 numbers in users password

password
requisite
pam_cracklib.so try_first_pass retry=3 \

 
minlen=8 dcredit=-2 ucredit=0 lcredit=0 ocredit=0
[7] In addition to the setting above, Set ucredit that forces users to include Capital characters in their password. ( ucredit=-N )
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 13: require to include 1 capital character

password
requisite
pam_cracklib.so try_first_pass retry=3 \

 
minlen=8 dcredit=-2 ucredit=-1 lcredit=0 ocredit=0
[8] In addition to the setting above, Set lcredit that forces users to include Lower cases in their password. ( lcredit=-N )
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 13: require to include 1 Lower case

password
requisite
pam_cracklib.so try_first_pass retry=3 \

 
minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=0
[9] In addition to the setting above, Set ocredit that forces users to include Symbols in their password. ( ocredit=-N )
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line 13: require to include 1 Symbol

password
requisite
pam_cracklib.so try_first_pass retry=3 \

 
minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1
[10] Set difok that forces more than N words in password before change are different from the one after change. ( difok=N )
[root@dlp ~]#
vi /etc/pam.d/system-auth


# near line: require at least 3 words are different from before change

password
requisite
pam_cracklib.so try_first_pass retry=3
difok=3
[11] Set number of login failure. Users' account will be locked after failing to login without a break.
[root ~]#
vi /etc/pam.d/system-auth
# add like below

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth
required
pam_env.so

auth
required
pam_tally2.so deny=5

auth
sufficient
pam_fprintd.so

auth
sufficient
pam_unix.so nullok try_first_pass

auth
requisite
pam_succeed_if.so uid >= 500 quiet

auth
required
pam_deny.so
account
required
pam_unix.so

account
required
pam_tally2.so

account
sufficient
pam_localuser.so

account
sufficient
pam_succeed_if.so uid < 500 quiet

account
required
pam_permit.so
# make sure the number of failure of login about a user

[root ~]#
pam_tally2 -u cent

Login
Failures
Latest failure
From

cent
7
02/23/11 13:10:26
tty1
# unlock a user

[root ~]#
pam_tally2 -r -u cent

Matched Content