Implementing Password Policy in Linux

Pluggable authentication modules are a common framework for authentication and security. Pluggable Authentication Modules implements password policy in Linux systems.

Simple Password Creation Requirement Using pam_cracklib

The module checks of the strength of passwords. It performs simple checks such as length of the password, mix of characters (e.g. alphabet, numeric, other) and more.
The options are
try_first-pass – retrieves the password from a previous stacked PAM module. If not available, then prompt the user for a password.
retry=3 – Allow 3 tries before sending back a failure.
minlen=9 – password must be 9 characters or more
dcredit=-1 – provide at least 1 digit
ucredit=-1 – provide at least one uppercase character
ocredit=-1 – provide at least one special character
lcredit=-1 – provide at least one lowercase character

Open /etc/pam.d/system-auth and add the following:
password required try_first_pass retry=3 minlen=9,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1

Strong Password Creation Policy Parameters Using pam_passwdqc

The module is used to create complex password policy in linux.

password requisite min=N0,N1,N2,N3,N4
N0 – passwords consisting of one character class only (e.g. digits, lower case, upper case, other characters)
N1 – passwords consisting of two character classes
N2 – passphrases. Note passphrases must contain a sufficient number of words (default is 3. It can be changed by setting passphrase=N, where N is the number of words)
N3 – passwords consisting of three character classes
N4 – passwords consisting of four characters classes

Open /etc/pam.d/system-auth and add the following:
password requisite min=disabled,disabled,16,12,8

Lockout Policy for Failed Password Attempts

The userid’s should be lockout after n unsuccessful consecutive login attempts.

Open /etc/pam.d/system-auth and add the following:
auth required deny=3 onerr=fail

Limit Password Reuse

Forcing users not to reuse their last 5 passwords prevent an attacker to guess the password.

Open /etc/pam.d/system-auth and add the following:
password sufficient <existing options> remember=5

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>