- How to Enforce Password Policies in Linux (Ubuntu / CentOS)
- Enforce Password Policies in Ubuntu / Debian
- Enforce Password Policies in CentOS / RHEL
- 3 thoughts on “How to Enforce Password Policies in Linux (Ubuntu / CentOS)”
- How to implement password policy in RHEL Linux with examples
- Implement Password Policy
- Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)
- Requirement 2. Password size (Minimum acceptable size for the new password).
- Requirement 3. Set limit to number of digits in password.
- Requirement 4. Set limit to number of Upper Case characters in password
- Requirement 5. Set limit to number of Lower Case characters in password
- Requirement 6. Set limit to number of Other characters in password
- Requirement 7. Set maximum number of allowed consecutive same characters in the new password
- Requirement 8. Enforce root for password complexity
- 12 thoughts on “How to implement password policy in RHEL Linux with examples”
How to Enforce Password Policies in Linux (Ubuntu / CentOS)
As much as Linux is considered a secure operating system, its security is just as good as the password strength of login users. Password policies exist to ensure that a strong password is set for users and as a Linux user, you should be mindful to enforce these policies to make it difficult for breaches to occur. You surely don’t want users configuring weak or guessable passwords which can be brute forced by hackers in a matter of seconds.
In this article, we touch base on how to enforce password policies in Linux, more specifically CentOS and Ubuntu. We will cover enforcing password policies such as password expiration period, password complexity and password length.
Enforce Password Policies in Ubuntu / Debian
There are 2 main ways that you can enforce password policies. Let’s take a look at each in detail.
1) Configure the maximum number of days that a password can be used
For start, you can configure a password policy that requires users to change their passwords after a certain number of days. Best practice dictates that a password should be changed periodically to keep malicious users off-kilter and make it harder for them to breach your system. This applies not just in Linux but in other systems such as Windows and macOS.
To achieve this In Debian/Ubuntu, you need to modify the /etc/login.defs file and be on the lookout for the PASS_MAX_DAYS attribute.
By default, this is set to 99,999 days as shown.
You can modify this to a reasonable duration, say, 30 days. Simply set the current value to 30 as shown and save the changes. Upon lapsing of the 30 days, you will be compelled to create another password.
2) Configure Password complexity with pam
Ensuring that password meets a certain degree of complexity is equally crucial and further thwarts any attempts by hackers to infiltrate your system using brute force.
As a general rule, a strong password should have a combination of Uppercase, lowercase, numeric and special characters and should be at least 12-15 characters long.
To enforce password complexity in Debian / Ubuntu systems, you need to install the libpam-pwquality package as shown:
$ sudo apt install libpam-pwquality
Once installed, head out to the /etc/pam.d/common-password file from where you are going to set the password policies. Be default, the file appears as shown:
Locate the line shown below
password requisite pam_pwquality.so retry=3
Add the following attributes to the line:
minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_root
The entire line should appear as shown:
Let’s flesh out what these directives stand for:
- retry=3 : This option will prompt the user 3 times before exiting and returning an error.
- minlen=12 : This specifies that the password cannot be less than 12 characters.
- maxrepeat=3 : This allows implies that only a maximum of 3 repeated characters can be included in the password.
- ucredit=-1 : The option requires at least one uppercase character in the password.
- lcredit=-1 : The option requires at least one lowercase character in the password.
- dcredit=-1 : This implies that the password should have at last a numeric character.
- ocredit=-1 : The option requires at least one special character included in the password.
- difok=3 : This implies that only a maximum of 3 character changes in the new password should be present in the old password.
- reject_username : The option rejects a password if it consists of the username either in its normal way or in reverse.
- enforce_for_root : This ensures that the password policies are adhered to even if it’s the root user configuring the passwords.
Enforce Password Policies in CentOS / RHEL
For Debian and Ubuntu systems, we enforced the password policy by making changes to the /etc/pam.d/common-password configuration file.
For CentOS 7 and other derivatives, we are going to modify the /etc/pam.d/system-auth or /etc/security/pwquality.conf configuration file.
So, proceed and open the file:
$ sudo vim /etc/pam.d/system-auth
Locate the line shown below
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
Append the options in the line as shown.
minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
You will end up having the line below:
Once done, save the password policies and exit the file.
Once again, when you try creating a user with a weak password that doesn’t adhere to the enforced policies, you will encounter the error shown in the terminal.
As you have seen, enforcing a password policy is quite easy and serves as a superb way of preventing users from setting up weak passwords which may easy to guess or prone to brute-force attacks. By enforcing these policies, you can rest assured that you have fortified your system’s security and made it more difficult for hackers to compromise your system.
3 thoughts on “How to Enforce Password Policies in Linux (Ubuntu / CentOS)”
I’ve enforced the above policy which is working fine for me. What if we need to expires hundred users to reset their passwords on next login? Because passwd -e user.name command will expire one user and for this command we need to provide a password to user so he can use this temp password to reset his / her new password at their first login. Please assist, thanks in advance. Reply
Hi FAHAD, Create a small script and use for loop in the script to run ‘passwd -e ‘ for hundred users. Reply
How to implement password policy in RHEL Linux with examples
In this article we will implement password policy with the certain list of requirements on our CentOS/RHEL 7 Linux node. These requirements are covered in separate heading title. In RHEL/CentOS 7 we can implement password policy using pwquality.conf , but you can also continue to use system-auth and password-auth inside /etc/pam.d but with pwquality.conf the steps to implement password policy is comparatively simpler.
Implement Password Policy
With RHEL 7 we can implement password policy via /etc/security/pwquality.conf where pwquality.conf is the configuration for the libpwquality library. It provides a way to configure the default password quality requirements for the system passwords. This file is read by the libpwquality library and utilities that use this library for checking and generating passwords. The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = sign is ignored.
Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)
Insert the following in /etc/pam.d/system-auth and /etc/pam.d/password-auth (after pam_pwquality.so line):
password requisite pam_pwhistory.so remember=5 use_authtok
Requirement 2. Password size (Minimum acceptable size for the new password).
Insert the following option in /etc/security/pwquality.conf :
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other,upper, lower and digit). The default for this parameter is 9 which is good for an old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system.
There is a pair of length limits in Cracklib itself, a «way too short» limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen . If it is required to allow passwords as short as 5 characters this module shouldn’t be used.
Requirement 3. Set limit to number of digits in password.
Minimum number of numeric characters (dcredit=N)
(N >= 0) This is the maximum credit for having digits in the new password. If password has less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf :
Here -1 is the minimum credit for having required digits in password
Requirement 4. Set limit to number of Upper Case characters in password
Minimum number of upper case letters (ucredit=N)
(N >= 0) This is the maximum credit for having upper case letters in the new password. If password has less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf :
Here -1 is the minimum credit for having uppercase characters in password.
Requirement 5. Set limit to number of Lower Case characters in password
Minimum number of lower case letters (lcredit=N)
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf :
Here 1 is the maximum credit for having lowercase characters in password
Requirement 6. Set limit to number of Other characters in password
Minimum number of non-alphanumeric characters (ocredit=N)
(N >= 0) This is the maximum credit for having other characters in the new password. If password has less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.
Insert the following option in /etc/security/pwquality.conf :
Here 1 is the maximum credit for having other characters in password
- Credit Value > 0 : Maximum credit for having respective characters in the new password.
- Credit Value < 0: Minimum mandatory credit required for having respective characters in the new password.
- Credit Value = 0 : No mandatory requirement for having the respective character class in the new password.
Requirement 7. Set maximum number of allowed consecutive same characters in the new password
Minimum number of required character classes in new password
Insert the following option in /etc/security/pwquality.conf :
Requirement 8. Enforce root for password complexity
Insert the following option in /etc/security/pwquality.conf :
If this does not work then place enforce_for_root in /etc/pam.d/system-auth and /etc/pam.d/password-auth
Lastly I hope the steps from the article to implement password policy in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!
12 thoughts on “How to implement password policy in RHEL Linux with examples”
Hi, I have read your post with big interest.
But I don’t find how to implement password != login.
Could you explain how to prevent this type of password with pam policy ?
Thanks for all this great job ! Reply
Hi Greg,
Do you mean we create a certain list of password which a user should not be allowed to use while changing their password? Regards
Deepak Reply
Using root user most rules are bypassed unless password restriction is applied to root user as well Reply
I have a question with How to “Requirement 1. Keep history of used passwords (the number of previous passwords which cannot be reused)” Example.
password sufficient pam_unix.so remember=5
password requisite pam_pwhistory.so remember=5 use_authtok
I would like to know the comparison between sufficient and requisite, i concern affect production server, could you please clear my question. thank you very much Reply
You can check this article for details on different flags used in PAM
https://docs.oracle.com/cd/E19253-01/816-4557/pam-15/index.html Reply
I have added the enforce_for_root in system-auth & password-auth then root password was not bypassed yet I tried to remove them still the same that root password can’t be bypassed . Do we need to restart any service or reboot the machine after reverting back. Reply
Can you share, how are you specifying this entry in both the auth files?
Ideally, it should be placed like this
password requisite pam_pwhistory.so enforce_for_root remember=5 use_authtok
Dear, very good article, but I have a doubt, there is some policy that is implemented so that the first users request a password change at the first entry to the server. Reply
You can expire the user’s password after creating so next time they login, it will prompt for password change Reply