In this guide, we are going to learn how to enforce password complexity policy on CentOS 7/RHEL based derivatives. Our previous guide covered the enforcement of password complexity on Ubuntu 18.04. You can check the same by following the link below;
Enforce Password Complexity Policy On CentOS 7
Similar to our previous guide, we are going to use PAM
pwquality modules to enforce password complexity policy on CentOS 7/RHEL based derivatives.
In Ubuntu or Debian based derivatives, we modified the,
/etc/pam.d/common-password configuration file. For CentOS 7 or similar derivatives, the
/etc/pam.d/system-auth configuration file is used.
As our normalcy, make a backup of the configuration file before making changes just in case things go south.
cp /etc/security/pwquality.conf /etc/security/pwquality.conf.original
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.original
Open the configuration file for editing.
Locate the line containing the
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
Comment the line and replace by the line below;
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
minlen=8– sets the minimum password length to 8 characters.
lcredit=-1-Sets the minimum number of lower case letters that the password should contain to at least one
ucredit=-1-Sets the minimum number of upper case letters on a password to at least one.
dcredit=-1– Sets the minimum number of digits to be contained in a password to at least one
ocredit=-1– Set the minimum number of other symbols such as @, #, ! $ % etc on a password to at least one
enforce_for_root– Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced.
You can also achieve the same by using the
authconfig command line utility as shown below;
authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --passmaxrepeat=3 --update
The above command basically ensures that password should have at least (in the respective order);
- one lower case letter
- one upper case letter
- one digit
- an alphanumeric character.
- 8 characters in length
- no more than 3 characters similar to the previous password.
The changes will updated on
tail /etc/security/pwquality.conf # Path to the cracklib dictionaries. Default is to use the cracklib default. # dictpath = minlen = 8 minclass = 1 maxrepeat = 3 maxclassrepeat = 0 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1
Note that root or any user with sudo rights can always set any password irrespective of the enforced policies. However, to ensure that the password complexity policies applies to both root and user with sudo, you must append the
enforce_for_root option to the line below on
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root
Testing Password Enforcement Policy
As a root user, try to change the password of a user with a password that doesn’t meet the set credentials.
[root@Cent7 ~]# passwd amos Changing password for user amos. New password: @moskifaru1 BAD PASSWORD: The password contains less than 1 uppercase letters New password: @mosKifaru BAD PASSWORD: The password contains less than 1 digits New password: mosKifaru1 BAD PASSWORD: The password contains less than 1 non-alphanumeric characters passwd: Have exhausted maximum number of retries for service
Test using a more complex password; @mosKifaru1
[root@Cent7 ~]# passwd amos Changing password for user amos. New password: @mosKifaru1 Retype new password: @mosKifaru1 passwd: all authentication tokens updated successfully.
That is all about how to enforce password complexity policy on CentOS 7. Enjoy.