How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
Installing a PAM
Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.
For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.
A PAM is installed and running by default in CentOS, Fedora, and EulerOS.
Setting a Password Complexity Policy
A proper password complexity policy would be: the password must contain at least eight characters and must contain uppercase letters, lowercase letters, numbers, and special characters.
- CentOS, Fedora, and EulerOS
- Run the following command to edit the /etc/pam.d/system-auth file:
vi /etc/pam.d/system-auth
- Find the following information in the file:
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=
Set dcredit, ucredit, lcredit, and ocredit to negative numbers.
Table 1 Parameter description Parameter
Description
Example
minlen
Minimum length of a password.
For example, if you want the minimum length to be eight, set the minlen value to 8.
minlen=8
dcredit
Number of digits
A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.
dcredit=-1
ucredit
Number of uppercase letters
A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.
ucredit=-1
lcredit
Number of lowercase letters
A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.
lcredit=-1
ocredit
Number of special characters
A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.
ocredit=-1
- Run the following command to edit the /etc/pam.d/system-auth file:
- Debian and Ubuntu
- Run the following command to edit the /etc/pam.d/common-password file:
vi /etc/pam.d/common-password
- Find the following information in the file:
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
- Run the following command to edit the /etc/pam.d/common-password file:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot