Password is string of characters used for an authentication, when correct password is provided, you become an authenticated user and you are given access to services that are allowed to. Its a good practice, to change the password once in 60 days.

In this post we are going to see how to make the password in linux system more complex or how can we strict the password saying it should be alpha numeric, minimum 8 character etc., This is can be done with the help of file ‘/etc/pam.d/system-auth’. This file will be soft linked to the file ‘/etc/pam.d/system-auth-ac’ for some linux variants. Since it is soft link file, content will be the same, changes remains same on both the file. For some variants of linux there will be a single file ‘system-auth’, for those systems we will edit this file. We will use this file to make the password complex. Plugable Authentication Module (PAM).

Here, We grep the word ‘password’ in the file ‘system-auth-ac’.

grep password /etc/pam.d/system-auth-ac

Snippets of system-auth-ac file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so

Open the file ‘system-auth-ac’ and search for the line ‘password requiste’, comment the line using `#` and insert the below line and save the file.

password requiste pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1

Here $ISA refers Instruction set Architecture says 32 or 64 bit and it says which pam_cracklib.so to pick. For some systems $ISA will not there. On those system we will append ‘retry=3 minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1’ on the respective line and we will keep the character $ISA and the entire path.

Here,

clause Explanations
minlength=12 Minimum length of the password is 12 character
lcredit=1 Minimum 1, lower charcter should be there in the given password., [a-z]
ucredit=1 Minimum 1, upper character should be there in the given password., [A-Z]
dcredit=1 Minimum 1, decimal should be there in the given password.,[0-9]
ocredit=1 Atleast 1 other character should be there in the given password

For the clause ‘retry=3’, refers number of attempts permitted for changing the password. When we issue the command ‘passwd’.

 

Number of attempts given for password change, when you run the command 'passwd'

To make our changes come into effect, we can restart the sssd service(SSSD is System Security Services Daemon) or we can do it in below manner.

Now run the below command. This will forward the control to systemctl to stop the sssd.

authconfig --update

like systemctl disable sssd.service.

Now start the sssd service

service sssd start

Now our changes will get effected. To verify try to change the password for some users by the command ‘passwd’. While creating the users, We can give a date for password expiry. This will make the users to keep on the changing the password on specific intervals.

Note:

We can set complexity of the password only to the user other than root user. Hence always the root user can override that file ( system-auth ) by giving any password.

The root user can change the password for any user in the server, by giving any password that may not be complex even we made the entries in ‘system-auth’ file.

In the below case root user changing the password of the user ‘veena’, and note that system saying ‘ password is too simple ‘. But password changed successfully.

root user changing the password of user veena.

 

Ultimately, root is root. 🙂 🙂

What Linux Admin should know : Password Management
Tagged on:                                                 

Leave a Reply

Your email address will not be published. Required fields are marked *