Help Center> Host Security Service (Old)> FAQs> Alarm and Event Management> Unsafe Settings> How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
Updated on 2022-10-31 GMT+08:00
View PDF

How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

Installing a PAM

Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.

For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.

A PAM is installed and running by default in CentOS, Fedora, and EulerOS.

Setting a Password Complexity Policy

A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, lowercase letters, digits, and special characters.

The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:

  • For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:

    man pam_pwquality

  • For other Linux OSs, run:

    man pam_cracklib

  • CentOS, Fedora, and EulerOS
    1. Run the following command to edit the /etc/pam.d/system-auth file:

      vi /etc/pam.d/system-auth

    2. Find the following information in the file:
      • For CentOS, Fedora, and EulerOS based on Red Hat 7.0:

        password requisite pam_pwquality.so try_first_pass retry=3 type=

      • For other CentOS, Fedora, and EulerOS systems:

        password requisite pam_cracklib.so try_first_pass retry=3 type=

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=

      At least three of dcredit, ucredit, lcredit, and ocredit must be set to negative numbers.

      Table 1 Parameter description

      Parameter

      Description

      Example

      minlen

      Minimum length of a password.

      A PAM uses credits by default. As a result, the minimum password length is one plus. For example, if you want the minimum length to be eight, set the minlen value to 9.

      minlen=9

      dcredit

      Number of digits

      A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.

      dcredit=-1

      ucredit

      Number of uppercase letters

      A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.

      ucredit=-1

      lcredit

      Number of lowercase letters

      A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.

      lcredit=-1

      ocredit

      Number of special characters

      A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.

      ocredit=-1
  • Debian and Ubuntu
    1. Run the following command to edit the /etc/pam.d/common-password file:

      vi /etc/pam.d/common-password

    2. Find the following information in the file:

      password requisite pam_cracklib.so retry=3 minlen=8 difok=3

    3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

      Example:

      password requisite pam_cracklib.so retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3

Parent topic: Unsafe Settings

Unsafe Settings FAQs

more