Help Center/ Host Security Service/ FAQs/ Baseline Inspection/ How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
Updated on 2024-09-25 GMT+08:00
View PDF

How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

Installing a PAM

Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running on your servers. If PAM is not installed on a server, HSS will prompt you to install it on the Password Complexity Policy Detection tab of the Risk Management > Baseline Checks page.

For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.

A PAM is installed and running by default in CentOS, Fedora, and EulerOS.

Setting a Password Complexity Policy

A proper password complexity policy would be: the password must contain at least eight characters and must contain uppercase letters, lowercase letters, numbers, and special characters.

The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:

  • For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:

    man pam_pwquality

  • For other Linux OSs, run:

    man pam_cracklib

  • CentOS, Fedora, and EulerOS
    1. Run the following command to edit the /etc/pam.d/system-auth file:

      vi /etc/pam.d/system-auth

    2. Find the following information in the file:
      • For CentOS, Fedora, and EulerOS based on Red Hat 7.0:

        password requisite pam_pwquality.so try_first_pass retry=3 type=

      • For other CentOS, Fedora, and EulerOS systems:

        password requisite pam_cracklib.so try_first_pass retry=3 type=

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=

      Set dcredit, ucredit, lcredit, and ocredit to negative numbers.

      Table 1 Parameter description

      Parameter

      Description

      Example

      minlen

      Minimum length of a password.

      For example, if you want the minimum length to be eight, set the minlen value to 8.

      minlen=8

      dcredit

      Number of digits

      A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.

      dcredit=-1

      ucredit

      Number of uppercase letters

      A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.

      ucredit=-1

      lcredit

      Number of lowercase letters

      A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.

      lcredit=-1

      ocredit

      Number of special characters

      A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.

      ocredit=-1
  • Debian and Ubuntu
    1. Run the following command to edit the /etc/pam.d/common-password file:

      vi /etc/pam.d/common-password

    2. Find the following information in the file:

      password requisite pam_cracklib.so retry=3 minlen=8 difok=3

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3

Parent topic: Baseline Inspection