My latest gig requires me to know more about passwords, password expiration, and password policies than I have ever had to know before. Now on the surface this is a bad thing, as it makes my job much harder as I have to maintain more passwords on more individual systems than I can shake a stick at (seriously no ldap or anything), however on the plus side I am learning a few things here and there that I never had to know before. I thought I would take this oportunity to got down a few of the things that I have learned.
Password Reuse Policy
The configuration item for this can be changed by editing the following file.
look for the line that ends in "remember". The example below will remember the last 5 passwords, and will not allow you to reuse one of these last 5.
password sufficient pam_unix.so sha512 shadow nullok try_first_pass remember=5
Old passwords are actually stored in the following text file /etc/security/opasswd.
Password Aging Policy
The configurations for password aging are found in /etc/login.defs. Below I am requiring users to change there password every 28 days, forcing them to keep the a password for at least 7 days before changing it, configuring the minimum password length, and setting the number of days warning that will be given before I expire a password.
Password Encryption Method
This is also stored in the /etc/login.defs. Here I am using SHA512.
# Use SHA512 to encrypt password.
Password Complexity Settings
Take a look at the line below from /etc/pam.d/system-auth
password requisite pam_passwdqc.so min=disabled,disabled,8,8,8 enforce=everyone retry=3
Ok now this one is a bit tricky, but the above essentially disallows passwords from any single character
class, and disallows a password with only two character classes, sets a minimum length of 8 characters for a
passphrase, a minimum length of 8 characters for a password from any
three character classes, and a minimum length of 8 characters from
four character classes.
Locking User Accounts Based on Failed Logins
Ok so this one also comes from /etc/pam.d/system-auth.
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 magic_root
Above I am locking at 4 failed logins, and locking the user for 300 seconds, or 5 minutes. Man I am an ass.