How to enforce password complexity in Redhat?

password linux redhat

I googled and found a few links about it like these: Forcing Password Complexity in Red Hat
How to enforce password complexity on Linux

It says that we need to make changes in /etc/pam.d/system-auth file. I have set parameters for forcing password complexity and then tried to create a new user, but the rules set by me (like minimum number of characters and minimum number of uppercase letters and minimum number of numbers required) didn't prohibit me from creating the password which didn't follow these rules.

Please help me and let me know how to achieve this.


Solution 1:

minlen=8 ucredit=1 dcredit=1 ocredit=0 lcredit=0

I'm guessing that you want your passwords to be at least 8 characters, contain at least 1 uppercase character and 1 digit. If so, that is NOT what you have configured.

For that you should use: minlen=8 ucredit=-1 dcredit=-1.

Explanation: the minlen algorithm uses "credits" to determine the length value. Suppose you had a 6 character password. minlength would be no less than 6. Then, wihtout using any of the credit values, you would get 1 "credit" for using lowercase characters, 1 credit for using uppercase characters and so on. Thus, a password of Hello! is 6 characters, +1 for using uppercase, +1 for using lower case, +1 for using special characters for a total minlen value of 9.

Specifying ucredit=1 dcredit=1 ocredit=0 lcredit=0, with the same password gives a length of 6, +1 for using uppercase, 0 for using lowercase and 0 for using special characters, for a length of 7. It does not FORCE you to use uppercase characters.

If you use a negative number for the credits, that requires you to have at least that many, and does NOT use credits.

So minlength=8 ucredit=-1 dcredit=-1 ocredit=0 lcredit=0 will then require the password to be at least 8 characters long, contain at least 1 uppercase character and 1 digit. Thus a password of helloboy is 8 characters, but will fail. Hellob0y will pass. He$$ob0y will also pass.

Solution 2:

When you login via ssh /etc.pam.d/sshd policy file is used. This file includes /etc/pam.d/system-auth, and you have to consider the contents of both files.

If you login via /bin/login, then the file /etc/pam.d/login is used therefore any changes to it will only affect /bin/login.

So you might need to make changes in both files i.e. /etc/pam.d/system-auth and /etc/pam.d/login. Or change the one though which you want to force the password complexity.

Related

How to use Linux to capture packets on eth0 and send everything to eth1?
Upstart restart command doesn't load new updated job config (solr)
Lag spikes in Champion Selection
HAProxy URI balancing isn't very balanced
TeamCity: 'git fetch' command failed. stderr: Socket Closed
How can I add x-forwarded-for in Apache error log file?
Can I speed up the wait time between username changes? [duplicate]
Getting turrets to spawn
How to add local group to "Remote Desktop Users" group in Windows 7 pro
How do I set a respawn angle?
linux + how to identify if file is pointed by link/s
Elder scrolls online does not start from Steam