Linux Password Security with pam_cracklib
Standard Unix reusable passwords are not really a good authentication system. In an effort to address this shortcoming, the PAM module pam_cracklib was developed for Linux systems.
Enabling pam_cracklib
The pam_cracklib module is enabled via the system’s standard PAM configuration interface. On Debian systems, this is the /etc/pam.d/common-password file (but it’s /etc/pam.d/system-auth on RedHat-derived systems.
The typical configuration looks something like this:
For debian:
password required pam_unix.so md5 remember=12 use_authtok
For Redhat:
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in blue:
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
One Response to “Linux Password Security with pam_cracklib”
Leave a Reply
You must be logged in to post a comment.
3anchorage…
…