标签归档:强密码策略

Enforce Password Complexity Policy On CentOS 7/RHEL Derivatives

In this guide, we are going to learn how to enforce password complexity policy on CentOS 7/RHEL based derivatives. Our previous guide covered the enforcement of password complexity on Ubuntu 18.04. You can check the same by following the link below;

Enforce Password Complexity Policy On CentOS 7

Similar to our previous guide, we are going to use PAM pwquality modules to enforce password complexity policy on CentOS 7/RHEL based derivatives.

In Ubuntu or Debian based derivatives, we modified the, /etc/pam.d/common-password configuration file. For CentOS 7 or similar derivatives, the /etc/security/pwquality.conf or /etc/pam.d/system-auth configuration file is used.

As our normalcy, make a backup of the configuration file before making changes just in case things go south.

cp /etc/security/pwquality.conf /etc/security/pwquality.conf.original
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.original

Open the configuration file for editing.

vim /etc/pam.d/system-auth

Locate the line containing the pam_pwquality.so modules;

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

Comment the line and replace by the line below;

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

Where:

  • minlen=8– sets the minimum password length to 8 characters.
  • lcredit=-1 -Sets the minimum number of lower case letters that the password should contain to at least one
  • ucredit=-1-Sets the minimum number of upper case letters on a password to at least one.
  • dcredit=-1 – Sets the minimum number of digits to be contained in a password to at least one
  • ocredit=-1 – Set the minimum number of other symbols such as @, #, ! $ % etc on a password to at least one
  • enforce_for_root – Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced.

You can also achieve the same by using the authconfig command line utility as shown below;

authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --passmaxrepeat=3 --update

The above command basically ensures that password should have at least (in the respective order);

  • one lower case letter
  • one upper case letter
  • one digit
  • an alphanumeric character.
  • 8 characters in length
  • no more than 3 characters similar to the previous password.

The changes will updated on /etc/security/pwquality.conf.

tail /etc/security/pwquality.conf
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
minlen = 8
minclass = 1
maxrepeat = 3
maxclassrepeat = 0
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1

Note that root or any user with sudo rights can always set any password irrespective of the enforced policies. However, to ensure that the password complexity policies applies to both root and user with sudo, you must append the enforce_for_root option to the line below on /etc/pam.d/system-auth.

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root

Testing Password Enforcement Policy

As a root user, try to change the password of a user with a password that doesn’t meet the set credentials.

[root@Cent7 ~]# passwd amos
Changing password for user amos.
New password: @moskifaru1
BAD PASSWORD: The password contains less than 1 uppercase letters
New password: @mosKifaru
BAD PASSWORD: The password contains less than 1 digits
New password: mosKifaru1
BAD PASSWORD: The password contains less than 1 non-alphanumeric characters
passwd: Have exhausted maximum number of retries for service

Test using a more complex password; @mosKifaru1

[root@Cent7 ~]# passwd amos
Changing password for user amos.
New password: @mosKifaru1
Retype new password: @mosKifaru1
passwd: all authentication tokens updated successfully.

That is all about how to enforce password complexity policy on CentOS 7. Enjoy.