In this article we will
implement password
policy with the certain list of requirements on our CentOS/RHEL 7
Linux node. These requirements are covered in separate heading title. In
RHEL/CentOS 7 we can implement password policy using
pwquality.conf, but you can also
continue to use system-auth and password-auth inside /etc/pam.d
but with pwquality.conf the steps to implement password policy is
comparatively simpler.
Implement Password Policy
With RHEL 7 we can implement password policy via
/etc/security/pwquality.conf where pwquality.conf is the
configuration for the libpwquality library. It provides a way to
configure the default password quality requirements for the system
passwords. This file is read by the libpwquality library and utilities
that use this library for checking and generating passwords. The file
has a very simple name = value format with possible comments starting
with # character. The whitespace at the beginning of line, end of line,
and around the = sign is ignored.
Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)
Insert the following in /etc/pam.d/system-auth and
/etc/pam.d/password-auth (after pam_pwquality.so line):
password requisite pam_pwhistory.so remember=5 use_authtok
For more information followHow to prevent user from using old password (or re-using) again in Linux
Requirement 2. Password size (Minimum acceptable size for the new password).
Insert the following option in /etc/security/pwquality.conf:
minlen = 9
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other,upper, lower and digit). The default for this parameter is 9 which is good for an old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system.
Cracklib itself, a “way too short”
limit of 4 which is hard coded in and a defined limit (6) that will be
checked without reference to minlen. If it is required to allow
passwords as short as 5 characters this module shouldn’t be used.
Requirement 3. Set limit to number of digits in password.
Minimum number of numeric characters (dcredit=N)
(N >= 0) This is the maximum credit for having digits in the new
password. If password has less than or N digits, each digit will count
+1 towards meeting the current minlen value. The default for dcredit
is 1 which is the recommended value for minlen less than 10. (N < 0)
This is the minimum number of digits that must be met for a new
password.
Insert the following option in /etc/security/pwquality.conf:
dcredit = -1
Here -1 is the minimum credit for having required digits in password
Requirement 4. Set limit to number of Upper Case characters in password
Minimum number of upper case letters (ucredit=N)
(N >= 0) This is the maximum credit for having upper case letters in
the new password. If password has less than or N upper case letters each
letter will count +1 towards meeting the current minlen value. The
default for ucredit is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of upper case letters
that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf:
ucredit = -1
Here -1 is the minimum credit for having uppercase characters in password.
Requirement 5. Set limit to number of Lower Case characters in password
Minimum number of lower case letters (lcredit=N)
(N >= 0) This is the maximum credit for having lower case letters in
the new password. If you have less than or N lower case letters, each
letter will count +1 towards meeting the current minlen value. The
default for lcredit is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of lower case letters
that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf:
lcredit = 1
Here 1 is the maximum credit for having lowercase characters in password
Requirement 6. Set limit to number of Other characters in password
Minimum number of non-alphanumeric characters (ocredit=N)
(N >= 0) This is the maximum credit for having other characters in the
new password. If password has less than or N other characters, each
character will count +1 towards meeting the current minlen value. The
default for ocredit is 1 which is the recommended value for minlen
less than 10. (N < 0) This is the minimum number of other characters
that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf:
ocredit = 1
Here 1 is the maximum credit for having other characters in password
- Credit Value > 0 : Maximum credit for having respective characters in the new password.
- Credit Value < 0 : Minimum mandatory credit required for having respective characters in the new password.
- Credit Value = 0 : No mandatory requirement for having the respective character class in the new password.
Requirement 7. Set maximum number of allowed consecutive same characters in the new password
Minimum number of required character classes in new password
Insert the following option in /etc/security/pwquality.conf:
minclass = 1
Requirement 8. Enforce root for password complexity
Insert the following option in /etc/security/pwquality.conf:
enforce_for_root
enforce_for_root in
/etc/pam.d/system-auth and /etc/pam.d/password-auth
Lastly I hope the steps from the article to implement password policy in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
