Implementing Password Policy in Linux

Pluggable authentication modules are a common framework for authentication and security. Pluggable Authentication Modules implements password policy in Linux systems.

Simple Password Creation Requirement Using pam_cracklib

The pam_cracklib.so module checks of the strength of passwords. It performs simple checks such as length of the password, mix of characters (e.g. alphabet, numeric, other) and more.
The options are
try_first-pass – retrieves the password from a previous stacked PAM module. If not available, then prompt the user for a password.
retry=3 – Allow 3 tries before sending back a failure.
minlen=9 – password must be 9 characters or more
dcredit=-1 – provide at least 1 digit
ucredit=-1 – provide at least one uppercase character
ocredit=-1 – provide at least one special character
lcredit=-1 – provide at least one lowercase character

Solution
Open /etc/pam.d/system-auth and add the following:
password required pam_cracklib.so try_first_pass retry=3 minlen=9,dcredit=-1,ucredit=-1,ocredit=-1 lcredit=-1

Strong Password Creation Policy Parameters Using pam_passwdqc

The pam_passwdqc.so module is used to create complex password policy in linux.

password requisite pam_passwdqc.so min=N0,N1,N2,N3,N4
where
N0 – passwords consisting of one character class only (e.g. digits, lower case, upper case, other characters)
N1 – passwords consisting of two character classes
N2 – passphrases. Note passphrases must contain a sufficient number of words (default is 3. It can be changed by setting passphrase=N, where N is the number of words)
N3 – passwords consisting of three character classes
N4 – passwords consisting of four characters classes

Solution
Open /etc/pam.d/system-auth and add the following:
password requisite pam_passwdqc.so min=disabled,disabled,16,12,8

Lockout Policy for Failed Password Attempts

The userid’s should be lockout after n unsuccessful consecutive login attempts.

Solution
Open /etc/pam.d/system-auth and add the following:
auth required pam_tally2.so deny=3 onerr=fail

Limit Password Reuse

Forcing users not to reuse their last 5 passwords prevent an attacker to guess the password.

Solution
Open /etc/pam.d/system-auth and add the following:
password sufficient pam_unix.so <existing options> remember=5

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>