Help Center/ Host Security Service/ FAQs/ Baseline Inspection/ How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

Updated on 2024-09-25 GMT+08:00

Installing a PAM

Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running on your servers. If PAM is not installed on a server, HSS will prompt you to install it on the Password Complexity Policy Detection tab of the Risk Management > Baseline Checks page.

For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.

NOTE:

A PAM is installed and running by default in CentOS, Fedora, and EulerOS.

Setting a Password Complexity Policy

A proper password complexity policy would be: the password must contain at least eight characters and must contain uppercase letters, lowercase letters, numbers, and special characters.

NOTE:

The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:

  • For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:

    man pam_pwquality

  • For other Linux OSs, run:

    man pam_cracklib

  • CentOS, Fedora, and EulerOS
    1. Run the following command to edit the /etc/pam.d/system-auth file:

      vi /etc/pam.d/system-auth

    2. Find the following information in the file:
      • For CentOS, Fedora, and EulerOS based on Red Hat 7.0:

        password requisite pam_pwquality.so try_first_pass retry=3 type=

      • For other CentOS, Fedora, and EulerOS systems:

        password requisite pam_cracklib.so try_first_pass retry=3 type=

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=

      NOTE:

      Set dcredit, ucredit, lcredit, and ocredit to negative numbers.

      Table 1 Parameter description

      Parameter

      Description

      Example

      minlen

      Minimum length of a password.

      For example, if you want the minimum length to be eight, set the minlen value to 8.

      minlen=8

      dcredit

      Number of digits

      A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.

      dcredit=-1

      ucredit

      Number of uppercase letters

      A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.

      ucredit=-1

      lcredit

      Number of lowercase letters

      A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.

      lcredit=-1

      ocredit

      Number of special characters

      A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.

      ocredit=-1

  • Debian and Ubuntu
    1. Run the following command to edit the /etc/pam.d/common-password file:

      vi /etc/pam.d/common-password

    2. Find the following information in the file:

      password requisite pam_cracklib.so retry=3 minlen=8 difok=3

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback