Monday, 8 June 2009

Linux local user account password policies

Setup a password policy
NOTE: Tested on Redhat ES5 only so far, should work on all Linux
This will setup a password policy of a min 8 char with at least one each of [uppercase|lowercase|numbers|symbols]. Passwords expire after 90 days and if not reset within a further 7 days the account is inactivated. Warnings are issues from 7 days before password expiry.  This is all for local accounts only, not domain accounts.

Edit /etc/pam.d/system-auth
Edit the password line so it looks as follows:
password requisite pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
ucredit is uppercase, lcredit lowercase, dcredit didget (numbers) and ocredit is other (symbols). By having a negative number you are requiring at least that many of each type.

Edit /etc/login.defs
Set the following values, all fairly self explanatory
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
Edit /etc/default/useradd
Sets how long after password expires before locking the account
INACTIVE=7
Enable password history to prevent reuse
These 3 steps will probably have been done by system install, check anyway.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 600 /etc/security/opasswd
Edit /etc/pam.d/system-auth and add to the line as shown below:
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=24
Lock account after set number of invalid passwords
# touch /var/log/faillog
# chown root:root /var/log/faillog
# chmod 600 /var/log/faillog
Edit /etc/pam.d/system-auth.
Directly under "auth required... pam_env.so" add:
auth required pam_tally.so onerr=fail deny=6 no_magic_root unlock_time=1800
Directly under last "account required" add:
account required pam_tally.so no_magic_root
Manual commands
Manually set for pre existing user accounts
To show current settings on account:
# chage -l [username]
For pre existing users you need to manually update their security token for this to take effect
# chage -m0 -M90 -I7 -W7 [username]
m=min age, M=max age, I=inactive after period, W=warn period before expire, all in days

Force expire a users password
To force a password to expire and therefore require a new password from them on next login (useful with new accounts where you want the user to change the password to something they will remember immediately):
# chage -d0 [username]
Show a count of all failures
# faillog -a
To clear failed passwords for a user
# faillog -u [username] -r

No comments:

Post a comment