topic Re: Change password policy in Operating System - Linux

Change password policy

nash11 — Tue, 01 Aug 2006 01:16:14 GMT

When I force the user to change the password , the user will prompt the message (BAD PASSWORD: it is based on a dictionary word) , I understand this is a security reason to probit simple password , but if I want to disable this restriction ( that means the linux system allow any dictionary word ) , what can I do ? thx.

Re: Change password policy

Vitaly Karasik_1 — Tue, 01 Aug 2006 01:45:00 GMT

just comment (or remove) line with "pam_cracklib" from /etc/pam.d/system-auth

Re: Change password policy

nash11 — Tue, 01 Aug 2006 03:55:30 GMT

thx Vitaly Karasik

If remove this line , the system will allow any kind of password that means all insecure password eg. too short , too simple , similiar password are allowed , if I only want to disable the restriction (BAD PASSWORD: it is based on a dictionary word) , what can I do ? thx

Re: Change password policy

Steven E. Protter — Tue, 01 Aug 2006 14:16:12 GMT

Shalom nash,

crack uses dictionary words in many languages as part of its method of cracking passwords.

By making the configuration change the dictionary word warning should stop happening.

Its a bad idea to do this and might make you fail a SOX audit.

SEP

Re: Change password policy

nash11 — Tue, 01 Aug 2006 21:24:05 GMT

thx reply ,

I would like to have one more requirement , the default password length is at least 7 characters, if I want to change the default setting , that the system accept the password length is 6 characters , what can i do ? thx

Re: Change password policy

Vitaly Karasik_1 — Wed, 02 Aug 2006 04:05:32 GMT

you can change it in /etc/login.defs

Re: Change password policy

peterchu — Wed, 02 Aug 2006 06:01:44 GMT

thx reply,

I check the setting is "5" now , I think it is default value , but I found that the current Minimum acceptable password length is 7 , what is wrong ? and if change the file "/etc/login.defs" , do I need to restart any service ? thx.

Re: Change password policy

peterchu — Wed, 02 Aug 2006 07:14:18 GMT

thx reply ,

the password length is Ok now , thx for help.

I would like to ask again , now my system accept the numerics only or characters only password , for example , the password can be 741852 ( all numerics ) or poiuyt ( all characters ) , if I want to control the password MUST have BOTH characters AND numerics , what can I do ? thx

Re: Change password policy

George Liu_4 — Wed, 02 Aug 2006 11:14:27 GMT

I think you should write the pam modules by yourself

Re: Change password policy

Ryan Goh — Fri, 04 Aug 2006 07:04:15 GMT

Password Length, Complexity and Password Space :
Uset the PAM pam_cracklib.so module. Access a sample /etc/pam.d/system-auth file here. As a privileged user, modify the pam_cracklib.so parameters in the sample file to implement the system password policy. Relevant parameters are:
minlen: Establishes a minimum acceptable length for user generated passwords. Works in conjunction with the *credit parameters.
difok: Establishes the minimum number of characters by which a new password must differ from the previous password.
lcredit, ucredit, dcredit, and ocredit (lower, upper, digit, other character classes, respectively): Establishes the number of "credits" in a new password for a particular character class, which can be used to modify the minimum required password length for sufficiently "complex" user selections, or to implement password complexity rules. *credit has a default value of 1, which works to reduce the minimum length requirement (minlen) by 1 character for each character class the user chooses in a new password. Thus, by default, if minlen = 8, users can get away with, say, 6 character passwords if they choose characters from 3 out of 4 of the character sets. Setting *credit values to 0 disables the reduction of minlen . Setting minlen < 0 establishes the minimum number of characters from the particular character class that must appear in the new password

Re: Change password policy

Ryan Goh — Fri, 04 Aug 2006 07:19:15 GMT

For more information on password policy for linux, I think this is a good link, http://nisswg.hawaii.edu/Public/Procedures/Config/RedHat/RedHat-config.html

Re: Change password policy

Ryan Goh — Fri, 04 Aug 2006 23:14:41 GMT

Modify the line with pam_cracklib.so in /etc/pam.d/system-auth file as "password required /lib/security/pam_cracklib.so retry=3 minlen=6". The path for pam_cracklib.so might be different.

There are four predefined control flags you can use:
required â The module result must be successful for authentication to continue. If a required module result fails, the user is not notified until results on all modules referencing that interface are completed.

requisite â The module result must be successful for authentication to continue. However, if a requisite module result fails, the user is notified immediately with a message reflecting the first failed required or requisite module.

sufficient â The module result is ignored if it fails. But, if a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service.

optional â The module result is ignored if it fails. If the module result is successful, it does not play a role in the overall success or failure for the module interface. A module flagged as optional becomes necessary for successful authentication when there are no other modules referencing that interface. In this case, an optional module determines the overall PAM authentication for that interface.

Re: Change password policy

Vitaly Karasik_1 — Sun, 06 Aug 2006 01:10:04 GMT

nash11, please remember about assigning points!