πpassword policy π
Setting up basic password aging
Edit login definitions: First, we need to edit the login.defs file:
nano /etc/login.defsModify password parameters: Locate and change the following parameters:
Change:
PASS_MAX_DAYS 99999βPASS_MAX_DAYS 30
Change:
PASS_MIN_DAYS 0βPASS_MIN_DAYS 2
PASS_MAX_DAYS: Maximum number of days before password expires.
PASS_MIN_DAYS: Minimum number of days before password can be changed.
PASS_WARN_AGE: Number of days before password expiration to show warning.
Installing password quality enforcement
Install password quality library: To enforce password quality rules, install the following package:
Type Y when prompted to confirm and wait for the installation to complete.
Configuring password complexity rules
Edit PAM configuration: Next, we need to edit the PAM (Pluggable Authentication Modules) configuration file:
Below retry=3 we must add the following commands:
This is how the line must beβοΈ
This is how the file must look βοΈ
minlen=10 β€ The minimum characters a password must contain.
ucredit=-1 β€ The password must contain at least one capital letter. We must write it with a - sign, as this is how it knows that it refers to minimum characters; if we put a + sign it will refer to maximum characters.
dcredit=-1 β€ The password must contain at least one digit.
lcredit=-1 β€ The password must contain at least one lowercase letter.
maxrepeat=3 β€ The password cannot have the same character repeated three consecutive times.
reject_username β€ The password cannot contain the username within itself.
difok=7 β€ The password must contain at least seven different characters from the last password used.
enforce_for_root β€ We will implement this password policy for root.
Last updated