My latest gig requires me to know more about passwords, password expiration, and password policies than I have ever had to know before. Now on the surface this is a bad thing, as it makes my job much harder as I have to maintain more passwords on more individual systems than I can shake a stick at (seriously no ldap or anything), however on the plus side I am learning a few things here and there that I never had to know before. I thought I would take this oportunity to got down a few of the things that I have learned.
Password Reuse Policy
The configuration item for this can be changed by editing the following file.
/etc/pam.d/system-auth
look for the line that ends in "remember". The example below will remember the last 5 passwords, and will not allow you to reuse one of these last 5.
password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5
Old passwords are actually stored in the following text file /etc/security/opasswd.
Password Aging Policy
The configurations for password aging are found in /etc/login.defs. Below I am requiring users to change there password every 28 days, forcing them to keep the a password for at least 7 days before changing it, configuring the minimum password length, and setting the number of days warning that will be given before I expire a password.
PASS_MAX_DAYS 28
PASS_MIN_DAYS 7
PASS_MIN_LEN 8
PASS_WARN_AGE 7
Password Encryption Method
This is also stored in the /etc/login.defs. Here I am using SHA512.
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
Password Complexity Settings
Take a look at the line below from /etc/pam.d/system-auth
password requisite pam_passwdqc.so min=disabled,disabled,8,8,8 enforce=everyone retry=3
Ok now this one is a bit tricky, but the above essentially disallows passwords from any single character
class, and disallows a password with only two character classes, sets a minimum length of 8 characters for a
passphrase, a minimum length of 8 characters for a password from any
three character classes, and a minimum length of 8 characters from
four character classes.
Locking User Accounts Based on Failed Logins
Ok so this one also comes from /etc/pam.d/system-auth.
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 magic_root
Above I am locking at 4 failed logins, and locking the user for 300 seconds, or 5 minutes. Man I am an ass.
Related articles