Wednesday, May 6, 2015

password policy

password policy

A. password complexity

# more /etc/pam.d/system-auth

- Set Minimum Password Length to 10
- Enforce not to repeat already used password.
# grep pam_cracklib.so /etc/pam.d/system-auth
password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3

# grep pam_unix.so /etc/pam.d/system-auth
password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

"remember=5" - will stores old password on /etc/security/opasswd.

B. Set Password Expiration date

# grep PASS /etc/login.defs

# Get account age information
# chage -l user1

-> Set account password expiration date
# chage -E 12/30/2015 -m 5 -M 90 -I 30 -W 14 jsmith

-E = Expired date [ or YYYY-MM-DD ], if set -E = -1, account will not expire.
-m = minimum number of days between password changes. 0 mean password can be change any time.
-M = maximum number of days a password is valid
-I = number of days of inactivity after a password has expired before the account is locked
-W = number of days of warning before a password change is required

No comments:

Post a Comment