How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
Installing a PAM
Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.
For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.
A PAM is installed and running by default in CentOS, Fedora, and EulerOS.
Setting a Password Complexity Policy
A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, lowercase letters, digits, and special characters.
The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:
man pam_pwquality
- For other Linux OSs, run:
man pam_cracklib
- CentOS, Fedora, and EulerOS
- Run the following command to edit the /etc/pam.d/system-auth file:
vi /etc/pam.d/system-auth
- Find the following information in the file:
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0:
password requisite pam_pwquality.so try_first_pass retry=3 type=
- For other CentOS, Fedora, and EulerOS systems:
password requisite pam_cracklib.so try_first_pass retry=3 type=
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0:
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=
NoteAt least three of dcredit, ucredit, lcredit, and ocredit must be set to negative numbers.
Table 1 Parameter description Parameter
Description
Example
minlen
Minimum length of a password.
A PAM uses credits by default. As a result, the minimum password length is one plus. For example, if you want the minimum length to be eight, set the minlen value to 9.
minlen=9
dcredit
Number of digits
A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.
dcredit=-1
ucredit
Number of uppercase letters
A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.
ucredit=-1
lcredit
Number of lowercase letters
A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.
lcredit=-1
ocredit
Number of special characters
A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.
ocredit=-1
- Run the following command to edit the /etc/pam.d/system-auth file:
- Debian and Ubuntu
- Run the following command to edit the /etc/pam.d/common-password file:
vi /etc/pam.d/common-password
- Find the following information in the file:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
password requisite pam_cracklib.so retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
- Run the following command to edit the /etc/pam.d/common-password file:
- Installing a PAM
- Setting a Password Complexity Policy