System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Redhat - Amending password policy

wurzul
Frequent Advisor

Redhat - Amending password policy

Hi

I have a need to view / change the password policy on a number of Redhat (Red Hat Enterprise Linux ES release 4) boxes. I need to be able to enforce the following for each server using a script:

1. Minimum password 7 chars,
2. At least two alphabetic chars in password,
3. At lease one numeric char in password,
4. Old password use must be prevented.
5. Non priviledged accounts passwords to be changed every 90 days
6. Shared priviledged accounts (root) passwords to be changed every 30 days
7. Minimum Five / Recommended three unsuccessful login attempts.

Could anybody point me in the direction of tools to do this using native redhat software. ie avoiding 3rd parties ?

Thanks
5 REPLIES
Steven E. Protter
Exalted Contributor

Re: Redhat - Amending password policy

Shalom,

I think you can do it all native.

vi /etc/login.defs

http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
wurzul
Frequent Advisor

Re: Redhat - Amending password policy

Thanks for replying. I've had a search round the interweb and found posts stating that 'login' now does not look to /etc/login.defs for params. I did find the below which states pam maybe able to do what I'm asking. I'll do some testing and post back.

Thanks again.

http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
Ivan Ferreira
Honored Contributor

Re: Redhat - Amending password policy

Yes, you must use pam_cracklib, for example, add to /etc/pam.d/system-auth

password required pam_cracklib.so retry=3 minlen=11 difok=3 lcredit=0 ucredit=1
dcredit=1 ocredit=1
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
wurzul
Frequent Advisor

Re: Redhat - Amending password policy

Hi, I've setup a test environment to play with PAM. Below is my edited /etc/pam.d/system-auth file. It doesn't seem to work. I've tested using passwd, ie passwd root and the system allows me to use passwords with less then 7 chars. Can anybody suggest anything ?

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=7
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Karthikeyan.j
Frequent Advisor

Re: Redhat - Amending password policy

Hi wurzul

This pam restrictions doesnt apply for root and when passwd cmd is run from root for difernet user.


Try Loggin in with the user and try changing the passwd





Karthik