Setting Password Policy With PAM
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
 |
The PAM module pam_cracklib can enforce both length and complexity. For length, it uses the minlen option. For complexity, it has options dcredit, ucredit, lcredit, and ocredit, which refer to digit, upper-case character, lower-case character, and other character, respectively. A value of -1 for one of these means "require one character of this type," and a value of 1 means "give 1 credit for this type." The credit system involves giving "length credits" for using non-lowercase characters (so you can have a shorter password than the minimum length if it uses non-lowercase characters), but this can be confusing for users, so it may be best to just require certain types of character.
Try the following line in /etc/pam.d/common-password in Debian-type distros or /etc/pam.d/system-auth in RedHat-type distros:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 dcredit=-1 ucredit=-1 lcredit=-1 |
|
Recent Tips » Cracking Passwords » Aliases and Variables Keep Things Short and Simple » rsnapshot Read All Tips of the Trade |
Finally, to make all your users change their passwords regularly, edit the /etc/login.defs file to set the PASS_MAX_DAYS variable to the maximum time allowed before changing a password. This affects only new accounts; use the command chage to affect existing users.
Read more on "Tips of the Trade" »
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
