Password expiration:
- Debian/Ubuntu/Red Hat
edit /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
Password History:
- Debian/Ubuntu/Red Hat
- Debian/Ubuntu
- Red Hat
Create the password history file and secure it:
sudo touch /etc/security/opasswd
sudo chown root:root /etc/security/opasswd
sudo chmod 600 /etc/security/opasswd
edit /etc/pam.d/common-password
comment out
password requisite pam_unix.so nullok obscure md5
and uncomment
password required pam_unix.so use_authtok nullok md5 remember=3
change the “remember” value to suit your needs
edit /etc/pam.d/system-auth
comment out
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
and add a new line:
password sufficient pam_unix.so use_authtok md5 shadow remember=3
change the “remember” value to suit your needs
Password complexity requirements:
- Debian/Ubuntu
- Red Hat
edit /etc/pam.d/common-password
uncomment
password required pam_cracklib.so retry=3 minlen=12 difok=3 lcredit=0 ucredit=1 dcredit=1 ocredit=2
edit /etc/pam.d/system-auth
comment out
password requisite pam_cracklib.so try_first_pass retry=3
and add a new line
password requisite pam_cracklib.so retry=3 minlen=12 difok=3 lcredit=0 ucredit=1 dcredit=1 ocredit=2
–
This settings will only affect users created after changes are made. to change existing users use the usermod, chage and passwd commands.
“minlen” is for minimum length (takes precedence over login.defs)
“difok” is the minimum number of digits that must be different from the last password
“*credit” are credit points per charset
a longer and more detailed explanation in: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html