/etc/pam.d/login vs. /etc/pam.d/system-auth
I want to enforce password complexity on my RH system (local authentication) and have discovered that I need a pam module line something similar to this:
password required pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
My question is should I be altering /etc/pam.d/login or /etc/pam.d/system-auth and what is the difference between the two files?
Solution 1:
You want system-auth. It is a "generic" set of PAM parameters used by (typically) all services on the system. The login
service is used by (unsurprisingly) the /bin/login
program (which is invoked for logins to virtual consoles only). If you add that line to /etc/pam.d/login
, then only password changes initiated by the login program would have the complexity requirements enforced (and, in case you're wondering, login doesn't do password changes).
Solution 2:
System-auth is for all types of login, including ssh
login is just for local console (NOT remote login)