Set Password Rules2019/08/26 |
|
Set Password Rules for security reasons.
|
|
| [1] | Install password quality checking library. |
|
root@dlp:~# apt -y install libpam-pwquality
|
| [2] | Set number of days for password Expiration. Users must change their password within the days. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -M (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 160: set 60 for Password Expiration PASS_MAX_DAYS 60
|
| [3] | Set minimum number of days available of password. Users must use their password at least this days after changing it. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -m (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 161: set 2 for Minimum number of days available PASS_MIN_DAYS 1
|
| [4] | Set number of days for warnings before expiration. This setting impacts only when creating a user, not impacts to exisiting users. If set to exisiting users, run the command [chage -W (days) (user)]. |
|
root@dlp:~#
vi /etc/login.defs # line 162: set 7 for number of days for warnings PASS_WARN_AGE 7
|
| [5] | Limit using a password that was used in past. Users can not set the same password within the generation. |
|
root@dlp:~#
vi /etc/pam.d/common-password # line 26: prohibit to use the same password for 5 generation in past
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
|
| [6] | Set minimum password length. Users can not set thier password length less than this parameter. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 11: uncomment and set minimum password length minlen = 8
|
| [7] | Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others) |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 34: uncomment and set minimum number of required classes of characters minclass = 3
|
| [8] | Set maximum number of allowed consecutive same characters in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 38: uncomment and set maximum number of allowed consecutive same characters maxrepeat = 2
|
| [9] | Set maximum number of allowed consecutive characters of the same class in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 43: uncomment and set maximum number of allowed consecutive characters of the same class maxclassrepeat = 4
|
| [10] | Require at least one lowercase character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 25: uncomment and set minimum lowercase character lcredit = -1
|
| [11] | Require at least one uppercase character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 20: uncomment and set minimum uppercase character ucredit = -1
|
| [12] | Require at least one digit in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 15: uncomment and set minimum digit character dcredit = -1
|
| [13] | Require at least one other character in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 30: uncomment and set minimum other special character ocredit = -1
|
| [14] | Set maximum length of monotonic character sequences in the new password. (ex ⇒ '12345', 'fedcb') |
|
root@dlp:~#
vi /etc/security/pwquality.conf # add to the end
maxsequence = 3
|
| [15] | Set number of characters in the new password that must not be present in the old password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 6: uncomment and set number of characters difok = 5
|
| [16] | Check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # line 47: uncomment and enable it gecoscheck = 1
|
| [17] | Set Ssace separated list of words that must not be contained in the password. |
|
root@dlp:~#
vi /etc/security/pwquality.conf # add to the end
badwords = denywords1 denywords2 denywords3
|
| [18] | Set hash/crypt algorithm for new passwords. (default is sha512) |
|
root@dlp:~#
vi /etc/pam.d/common-password # line 26: hnage algorithm to sha512
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
|