/etc/pam.d/login vs. /etc/pam.d/system-auth

security linux pam

I want to enforce password complexity on my RH system (local authentication) and have discovered that I need a pam module line something similar to this:

password  required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8

My question is should I be altering /etc/pam.d/login or /etc/pam.d/system-auth and what is the difference between the two files?


Solution 1:

You want system-auth. It is a "generic" set of PAM parameters used by (typically) all services on the system. The login service is used by (unsurprisingly) the /bin/login program (which is invoked for logins to virtual consoles only). If you add that line to /etc/pam.d/login, then only password changes initiated by the login program would have the complexity requirements enforced (and, in case you're wondering, login doesn't do password changes).

Solution 2:

System-auth is for all types of login, including ssh

login is just for local console (NOT remote login)

Related

How to reverse proxy with or without trailing slash
Why is my server getting connections from its own IP?
Install package via apt from a live cd to the real system
Use multiple password files for nginx
Unable to install SMB v1.0/CIFS on Azure Windows Server 2019
zfs pool status unstable
Power armor and safe storage [duplicate]
What rule does border expansion follow?
How do you delete your saved game?
In a co-op game, whose PhysX settings determine if flowing cloths are bulletproof?
How can I improve Commonwealth load time in Fallout 4 (PC)? [duplicate]
What's the best way to beat a lag switcher?