Setting Password Policy With PAM
Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy
Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive Advantage
The PAM module pam_cracklib can enforce both length and complexity. For length, it uses the minlen option. For complexity, it has options dcredit, ucredit, lcredit, and ocredit, which refer to digit, upper-case character, lower-case character, and other character, respectively. A value of -1 for one of these means "require one character of this type," and a value of 1 means "give 1 credit for this type." The credit system involves giving "length credits" for using non-lowercase characters (so you can have a shorter password than the minimum length if it uses non-lowercase characters), but this can be confusing for users, so it may be best to just require certain types of character.
Try the following line in /etc/pam.d/common-password in Debian-type distros or /etc/pam.d/system-auth in RedHat-type distros:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 dcredit=-1 ucredit=-1 lcredit=-1
» Cracking Passwords
» Aliases and Variables Keep Things Short and Simple
Read All Tips of the Trade
Finally, to make all your users change their passwords regularly, edit the /etc/login.defs file to set the PASS_MAX_DAYS variable to the maximum time allowed before changing a password. This affects only new accounts; use the command chage to affect existing users.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...