Enforcing Password Complexity on CentOS/RedHat

From Peter Pap's Technowiki
Revision as of 04:00, 27 May 2013 by Ppapa (talk | contribs) (Created page with "Edit the file /etc/pam.d/system-auth and change these two lines: password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Edit the file /etc/pam.d/system-auth and change these two lines:

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

to:

 password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10

This will mean:

minlen=9 the minimum password length lcredit=-1 minimum of 1 lowercase ucredit=-1 minimum 1 uppercase dcredit=-1 minimum 1 decimal character (number) ocredit=-1 minimum 1 special character (punctuation etc) difok=3 enforces no less than 3 character difference between password changes. remember=10 remembers the last 10 password changes so they can't be repeated.