Skip to content
Welcome To Charanjit Cheema Blog

Welcome To Charanjit Cheema Blog

An Open Source and Cloud Blog

Menu
  • Home
  • About Me!
  • Way to my Technical Blog
  • Contact me
  • Privacy Policy
Menu

How to Set password policy in CentOS or RHEL system

Posted on May 27, 2019 by Charanjit Cheema

Linux is known for one of most secure Unix Operating System (OS) in world. But that is not mean it is 100% secure there is say in Information Technology (IT) no technology is a completely secure that is why from a System Administrator to CIO they take measure for securing IT infrastructure on regular basis by applying Personal Security, Hardware Security and Software Security.

In this tutorial we won’t discuss on these topics as these are beyond the scope of this topic. So let’s come on topic Linux Operating system security, weak password policy is one of main flaw for Linux based system as weak password can easily be cracked and causes breach of security. Attacker can crack the weak password easily and could exploit your Linux based systems which could be hosting your company critical database or e-commerce web service.

In this tutorial I will describe how to set password policy like password length, password complexity, password expiration period, deny past used passwords. etc. for CentOS / RHEL based system.

Note: For this tutorial I am using CentOS 6 and CentOS 7 virtual machines on KVM. Password policy configuration done on CentOS 6 and CentOS 7 machine will be same for RHEL 6 and RHEL 7 as well. Also I suggest before configuring files or executing any password policy configuration commands take backup of configuration files.

Password Policy Configuration in CentOS and RHEL machines

As mentioned above in this tutorial password policy configurations will contain below topics:

1. Password Length
2. Password Complexity
3. Password expiration
4. Deny past used passwords.

1. Password length configuration

CentOS 6 / RHEL 6

In CentOS 6 or RHEL 6 from root or sudo privileged edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth through your desire text editor.

# nano /etc/pam.d/system-auth
# nano /etc/pam.d/password-auth

Locate the below line in both files and add the parameter minlen=8 at the end of the line.

password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8

Below configuration example is from my CentOS 6 machine.

CentOS 7/ RHEL 7

In CentOS 7 and RHEL 7 execute below command for setting up password length:

# authconfig --passminlen=8 --update

To verify configured password length after above command execution use below command:

# grep "^minlen" /etc/security/pwquality.conf

Below sample output is from my CentOS 7 machine.

2. Password Complexity

Password complexity policy allow user to set complex password this policy allow user to use password which contain upper-case character, lower-case character and special or symbol character. In below steps I will configure one upper-case, lower-case, and a special character in the password. You can set any number of maximum allowed upper-case, lower-case, and other letters in your password. So let’s start.

CentOS 6 / RHEL 6

Locate the below line in these files /etc/pam.d/system-auth and /etc/pam.d/password-auth and edit the parameters dcredit=-1 (one digit) ucredit=-1 (one upper-case character) lcredit=-1 (one lower-case character) ocredit=-1 ( one other or sysmbol character):

password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

Below sample output of these files /etc/pam.d/system-auth and /etc/pam.d/password-auth from my CentOS 6 machine:

CentOS 7 / RHEL 7

In CentOS7 or RHEL 7 we will use same authconfig command to configure complex password.

To set at least one lower-case character for password:

# authconfig --enablereqlower --update

To set at least one upper-case character for password:

# authconfig --enablerequpper --update

To set at least one digit for password:

# authconfig --enablereqdigit --update

To set at least one other or symbol character for password:

# authconfig --enablereqother –update

To verify password complexity setting after running above command, use below command:

egrep "^lcredit|^ucredit|^dcredit|^ocredit" /etc/security/pwquality.conf

Below sample output from my CentOS 7 machine:

3. Password expiration

Password expiration policy prompt user to change his/her password before certain days of expiration to enforce this policy CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 has a file /etc/login.defs. This file contain below parameters which allow System Administrator to set policy:

• PASS_MAX_DAYS: Maximum number of days a password may be used.
• PASS_MIN_DAYS: Minimum number of days allowed between password changes.
• PASS_WARN_AGE: Number of days warning given before a password expires.

To enforce this password in these CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 machines locate the below parameters in /etc/login.defs file and provide number of days as per your requirement:


PASS_MAX_DAYS
PASS_MIN_DAYS
PASS_WARN_AGE

Below is sample output from my CentOS 6 and CentOS 7 machine:

Note: This above password expiration policy only applicable to newly created users whereas above password expiration policy won’t be applicable to existing user(s) thus you need to set this policy manually to existing user(s) from chage command you can set policy manually:

• To set Maximum password days: chage -M <no. of days> <username>
• To set Minimum password days: chage -m <no. of days> <username>
• To set number of warning days before password expire: chage -W <no. of days> <username>
Sample output:

If you have more then one existing users you can use add those users in text file and with help of for loop command you can set the policy manually below is sample from my machine:

4. Deny past used passwords

Deny past used passwords policy disallow users to set their password which were used in past. This make password more complicated by making it non guessable for attacker. In both CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 configuration is same. In both OSes you need to configure these files /etc/pam.d/system-auth and /etc/pam.d/password-auth locate and make below entry:

password     sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Sample output:

Loading

  • Author
  • Recent Posts
Charanjit Cheema
Follow him
Charanjit Cheema
Charanjit is currently working as a Cloud Architect at Mphasis, with 17 years of experience in IT infrastructure projects, implementation, and support. While his main role is as a DevOps engineer, he holds a Cloud Architect position and has strong skills in cloud technologies and automation. His expertise includes Terraform, Ansible, AWS, Azure DevOps, Azure Cloud, VMware, and Linux systems.

Charanjit is passionate about automating tasks and improving processes. He uses tools like Terraform and Azure DevOps to build and manage cloud infrastructure and streamline deployment. He also enjoys using Shell scripts and Ansible playbooks to make systems run more efficiently.

In his free time, Charanjit enjoys learning about new technologies and sharing his knowledge through his blog. When he’s not working, he likes listening to music, having a cup of coffee, and relaxing in nature.

You can connect with Charanjit on Twitter, Facebook, LinkedIn, or email him at charanjit.cheema@cjcheema.com.
Charanjit Cheema
Follow him
Latest posts by Charanjit Cheema (see all)
  • How to optimize the performance of Ansible Automation Platform or Ansible Tower - July 16, 2023
  • How to fix code and text file linting errors with the help of Visual Studio Code - June 27, 2023
  • How to migrate existing WordPress blog from AWS EC2 instance to Amazon Lightsail - May 29, 2023

Like this:

Like Loading...

Related

5 thoughts on “How to Set password policy in CentOS or RHEL system”

  1. Shameek Bhattacharya says:
    March 10, 2021 at 11:52 pm

    In RHEL 8 , editing /etc/pam.d/system-auth doesn’t seem to work for me . Can you please guide

    Loading...
    Reply
    1. toets says:
      March 9, 2023 at 2:26 pm

      same problem on RHEL 8

      Loading...
      Reply
      1. Charanjit Singh says:
        September 7, 2023 at 12:04 am

        In RHEL 8 now you can use single file which is /etc/security/pwquality.conf for setting the password complexity.
        Reference Red Hat KB: https://access.redhat.com/solutions/6979714

        Loading...
        Reply
  2. Sangita says:
    September 26, 2024 at 7:12 am

    Great job on the tutorial about setting password policies in CentOS and RHEL! It’s essential for securing systems, especially in the realm of cloud computing. Your insights on password length and complexity are invaluable for system administrators. Keep it up!

    Loading...
    Reply
    1. Charanjit Singh says:
      November 10, 2024 at 6:19 pm

      Thanks for liking my Article.

      Loading...
      Reply

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tags

AWS Cloud Computing Dockers Networking Open Networking OpenSource RHEL-CentOS SDN Server Hardware SLES tcpdump Ubuntu WSL

Follow me @

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2 other subscribers

Recent Posts

  • How to Deploy Docker Containers with NGINX on AWS EC2 Using Ansible and GitHub Actions
  • No More DynamoDB! Use Native S3 locking for Terraform State
  • How to Bring and Manage Manually Created AWS Resources Under Terraform Management
  • Iterating Cloud Resource Provisioning Using Terraform Count and For_Each Meta-Arguments
  • Terraform and Ansible Collaboration for AWS Cloud Deployment

Recent Comments

  1. Charanjit Singh on Terraform and Ansible Collaboration for AWS Cloud Deployment
  2. christinatodd2020aeaa798563 on Terraform and Ansible Collaboration for AWS Cloud Deployment
  3. Charanjit Singh on How to Set password policy in CentOS or RHEL system
  4. SAURABH on How to recover or rebuild initramfs in CentOS 7 Linux
  5. Sangita on How to Set password policy in CentOS or RHEL system

Archives

  • April 2025
  • February 2025
  • January 2025
  • August 2024
  • July 2024
  • June 2024
  • January 2024
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • September 2022
  • August 2022
  • July 2020
  • May 2020
  • February 2020
  • November 2019
  • June 2019
  • May 2019
  • March 2019
  • February 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018

Categories

  • Automation
  • Cloud Computing
  • Coding
  • CyberSecurity
  • Networking
  • OpenSource
  • RHEL-CentOS
  • Server Hardware
  • SLES
  • Technical Blog
  • Ubuntu
  • WSL

Blog Stats

  • 18,353 hits
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Home
  • About Me!
  • Way to my Technical Blog
  • Contact me
  • Privacy Policy
© 2025 Welcome To Charanjit Cheema Blog | Powered by Superbs Personal Blog theme
 

Loading Comments...
 

    %d