topic Re: Redhat - Amending password policy in Operating System - Linux

Redhat - Amending password policy

wurzul — Wed, 20 Aug 2008 13:34:32 GMT

Hi

I have a need to view / change the password policy on a number of Redhat (Red Hat Enterprise Linux ES release 4) boxes. I need to be able to enforce the following for each server using a script:

1. Minimum password 7 chars,
2. At least two alphabetic chars in password,
3. At lease one numeric char in password,
4. Old password use must be prevented.
5. Non priviledged accounts passwords to be changed every 90 days
6. Shared priviledged accounts (root) passwords to be changed every 30 days
7. Minimum Five / Recommended three unsuccessful login attempts.

Could anybody point me in the direction of tools to do this using native redhat software. ie avoiding 3rd parties ?

Thanks

Re: Redhat - Amending password policy

Steven E. Protter — Wed, 20 Aug 2008 13:39:38 GMT

Shalom,

I think you can do it all native.

vi /etc/login.defs

http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging

SEP

Re: Redhat - Amending password policy

wurzul — Wed, 20 Aug 2008 14:28:30 GMT

Thanks for replying. I've had a search round the interweb and found posts stating that 'login' now does not look to /etc/login.defs for params. I did find the below which states pam maybe able to do what I'm asking. I'll do some testing and post back.

Thanks again.

http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

Re: Redhat - Amending password policy

Ivan Ferreira — Wed, 20 Aug 2008 17:55:54 GMT

Yes, you must use pam_cracklib, for example, add to /etc/pam.d/system-auth

password required pam_cracklib.so retry=3 minlen=11 difok=3 lcredit=0 ucredit=1
dcredit=1 ocredit=1

Re: Redhat - Amending password policy

wurzul — Fri, 05 Sep 2008 12:11:31 GMT

Hi, I've setup a test environment to play with PAM. Below is my edited /etc/pam.d/system-auth file. It doesn't seem to work. I've tested using passwd, ie passwd root and the system allows me to use passwords with less then 7 chars. Can anybody suggest anything ?

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=7
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Re: Redhat - Amending password policy

Karthikeyan.j — Sat, 06 Sep 2008 05:10:48 GMT

Hi wurzul

This pam restrictions doesnt apply for root and when passwd cmd is run from root for difernet user.

Try Loggin in with the user and try changing the passwd

Karthik