Enforcing that passwords contain a certain mixture of characters on Red Hat Linux or CentOS

Solution 1:

From the NSA securing RedHat Linux Guide:

2.3.3.1 Set Password Quality Requirements

The default pam cracklib PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. The pam passwdqc PAM module provides the ability to enforce even more stringent password strength requirements. It is provided in an RPM of the same name. The man pages pam cracklib(8) and pam passwdqc(8) provide information on the capabilities and configuration of each. If password strength stronger than that guaranteed by pam cracklib is required, configure PAM to use pam passwdqc.

To activate pam passwdqc, locate the following line in /etc/pam.d/system-auth:

 password  requisite     pam_cracklib.so try_first_pass retry=3

and then replace it with the line:

 password  requisite    pam_passwdqc.so min=disabled,disabled,16,12,8

If necessary, modify the arguments (min=disabled,disabled,16,12,8) to ensure compliance with your organization’s security policy. Configuration options are described in the man page pam passwdqc(8) and also in /usr/share/doc/pam passwdqc-version. The minimum lengths provided here supercede that specified by the argument PASS MIN LEN as described in Section 2.3.1.7. The options given in the example above set a minimum length for each of the password “classes” that pam passwdqc recognizes. Setting a particular minimum value to disabled will stop users from choosing a password that falls into that category alone.

The NSA Guide to Securing RedHat

Be careful when you make edits to files in /etc/pam.d!

Solution 2:

you should find the needed information here