HPE Community
Operating System - Linux
1830256 Members
2057 Online
110000 Solutions
New Discussion

How to define password policy on Linux

 
SOLVED
Go to solution
yyghp
Super Advisor

‎05-11-2005 05:26 AM

‎05-11-2005 05:26 AM

How to define password policy on Linux

How to define the following password policy on Linux:

1. Length must be at least 6 characters
2. expire after 90 days
3. Cannot reuse previous password
4. Account is locked after 3 failed attempts. Unlocked after 15 minutes.
5. User is required to change password after first login (after servicedesk creates the account).
7. Password can not be the same as the username.

Thanks!
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

‎05-11-2005 07:34 AM

‎05-11-2005 07:34 AM

Solution

Re: How to define password policy on Linux

The default password policy for Linux requires passwords a minimum of six characters.

2 Expiration can be scripted with the passwd command.


passwd -x maxdays

3 Password re-use is not permitted although I don't know what the default depth is.

4 Account is not locked after 3 fails. This can be done by script:
strings /var/log/btmp | grep username | wc -l

If the username shows up three times issue a passwd -l and its locked.

5 Not sure this can be done. It can with hpux.

7 (6?) the crack library prevents this for regular users

Its almost all built in, though it requires some scripting.

http://www.tldp.org has some docs that can help you do this in a more integrated way.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Stuart Browne
Honored Contributor

‎05-11-2005 12:31 PM

‎05-11-2005 12:31 PM

Re: How to define password policy on Linux

SEP covered most of the points already.

I'll add this:

5. Create the user with an expired password already. First login will ask for a new password.

Most of the other bits and pieces is PAM territory. The password restrictions are all 'pam_cracklib' stuff (you should have '/usr/share/doc/pam-0.*/txts/README.pam_cracklib' on your system which documents it), and it's reasonably powerful.

One thing I have noticed though is that Linux can sometimes let a user through the password change routine upon login, but the expiration values are updated. I've only seen this in an NIS situation however.
One long-haired git at your service...
0 Kudos
Reply
Gopi Sekar
Honored Contributor

‎05-11-2005 06:23 PM

‎05-11-2005 06:23 PM

Re: How to define password policy on Linux


the requirement of length, reusing of previous password, password not of same as username can be set through PAM configuration. read the pam module document to findout how to do this.

expire can be set through passwd -x

if you are using latest SUSE distribution there is option to force the user to change password after first login. option is passwd -e

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.