Linux is known for one of most secure Unix Operating System (OS) in world. But that is not mean it is 100% secure there is say in Information Technology (IT) no technology is a completely secure that is why from a System Administrator to CIO they take measure for securing IT infrastructure on regular basis by applying Personal Security, Hardware Security and Software Security.
In this tutorial we won’t discuss on these topics as these are beyond the scope of this topic. So let’s come on topic Linux Operating system security, weak password policy is one of main flaw for Linux based system as weak password can easily be cracked and causes breach of security. Attacker can crack the weak password easily and could exploit your Linux based systems which could be hosting your company critical database or e-commerce web service.
In this tutorial I will describe how to set password policy like password length, password complexity, password expiration period, deny past used passwords. etc. for CentOS / RHEL based system.
Note: For this tutorial I am using CentOS 6 and CentOS 7 virtual machines on KVM. Password policy configuration done on CentOS 6 and CentOS 7 machine will be same for RHEL 6 and RHEL 7 as well. Also I suggest before configuring files or executing any password policy configuration commands take backup of configuration files.
Password Policy Configuration in CentOS and RHEL machines
As mentioned above in this tutorial password policy configurations will contain below topics:
1. Password Length
2. Password Complexity
3. Password expiration
4. Deny past used passwords.
1. Password length configuration
CentOS 6 / RHEL 6
In CentOS 6 or RHEL 6 from root or sudo privileged edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth through your desire text editor.
# nano /etc/pam.d/system-auth
# nano /etc/pam.d/password-auth
Locate the below line in both files and add the parameter minlen=8 at the end of the line.
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8
Below configuration example is from my CentOS 6 machine.
CentOS 7/ RHEL 7
In CentOS 7 and RHEL 7 execute below command for setting up password length:
# authconfig --passminlen=8 --update
To verify configured password length after above command execution use below command:
# grep "^minlen" /etc/security/pwquality.conf
Below sample output is from my CentOS 7 machine.
2. Password Complexity
Password complexity policy allow user to set complex password this policy allow user to use password which contain upper-case character, lower-case character and special or symbol character. In below steps I will configure one upper-case, lower-case, and a special character in the password. You can set any number of maximum allowed upper-case, lower-case, and other letters in your password. So let’s start.
CentOS 6 / RHEL 6
Locate the below line in these files /etc/pam.d/system-auth and /etc/pam.d/password-auth and edit the parameters dcredit=-1 (one digit) ucredit=-1 (one upper-case character) lcredit=-1 (one lower-case character) ocredit=-1 ( one other or sysmbol character):
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
Below sample output of these files /etc/pam.d/system-auth and /etc/pam.d/password-auth from my CentOS 6 machine:
CentOS 7 / RHEL 7
In CentOS7 or RHEL 7 we will use same authconfig command to configure complex password.
To set at least one lower-case character for password:
# authconfig --enablereqlower --update
To set at least one upper-case character for password:
# authconfig --enablerequpper --update
To set at least one digit for password:
# authconfig --enablereqdigit --update
To set at least one other or symbol character for password:
# authconfig --enablereqother –update
To verify password complexity setting after running above command, use below command:
egrep "^lcredit|^ucredit|^dcredit|^ocredit" /etc/security/pwquality.conf
Below sample output from my CentOS 7 machine:
3. Password expiration
Password expiration policy prompt user to change his/her password before certain days of expiration to enforce this policy CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 has a file /etc/login.defs. This file contain below parameters which allow System Administrator to set policy:
• PASS_MAX_DAYS: Maximum number of days a password may be used.
• PASS_MIN_DAYS: Minimum number of days allowed between password changes.
• PASS_WARN_AGE: Number of days warning given before a password expires.
To enforce this password in these CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 machines locate the below parameters in /etc/login.defs file and provide number of days as per your requirement:
PASS_MAX_DAYS
PASS_MIN_DAYS
PASS_WARN_AGE
Below is sample output from my CentOS 6 and CentOS 7 machine:
Note: This above password expiration policy only applicable to newly created users whereas above password expiration policy won’t be applicable to existing user(s) thus you need to set this policy manually to existing user(s) from chage command you can set policy manually:
• To set Maximum password days: chage -M <no. of days> <username>
• To set Minimum password days: chage -m <no. of days> <username>
• To set number of warning days before password expire: chage -W <no. of days> <username>
Sample output:
If you have more then one existing users you can use add those users in text file and with help of for loop command you can set the policy manually below is sample from my machine:
4. Deny past used passwords
Deny past used passwords policy disallow users to set their password which were used in past. This make password more complicated by making it non guessable for attacker. In both CentOS 6 / RHEL 6 and CentOS 7 / RHEL 7 configuration is same. In both OSes you need to configure these files /etc/pam.d/system-auth and /etc/pam.d/password-auth locate and make below entry:
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
Sample output:
He is a lazy System Administrator who likes to Automate his task through Shell scripts and Ansible playbooks. He has contributed his many Automations work in Kyndryl and also maintain his own internal company Github repo.
His hobby is researching on new technologies and sharing this through his blog but if he is not researching or writing blog then you will find him listening music while sipping cup of coffee and enjoying the nature view.
You can find him on Twitter, Facebook, Linkedin or send him an email at webmaster@cjcheema.com
In RHEL 8 , editing /etc/pam.d/system-auth doesn’t seem to work for me . Can you please guide
same problem on RHEL 8
In RHEL 8 now you can use single file which is /etc/security/pwquality.conf for setting the password complexity.
Reference Red Hat KB: https://access.redhat.com/solutions/6979714
Great job on the tutorial about setting password policies in CentOS and RHEL! It’s essential for securing systems, especially in the realm of cloud computing. Your insights on password length and complexity are invaluable for system administrators. Keep it up!
Thanks for liking my Article.