[techtalk] password policy?
Martin.Caitlyn at epamail.epa.gov
Martin.Caitlyn at epamail.epa.gov
Tue Jun 19 12:38:35 EST 2001
Hi, Nicole, and everyone else,
> What's the best way (IYHO) to do linux password policies? I think some of
> this can be accomplished with cracklib. The policies need to at least
> match, the unix one can be stronger than the windows policy (I don't
think
> the policy problem works both ways).
I think the pam_cracklib module can probably do everything you need, except
for expiration issue and the full user name issue, though some of the
latter (common names) will be handled properly by the routine that
prohibits dictionary words. Setting expiration (and, if you like, a
warning that the password will expire) is done at the command line with the
chage command. For example:
chage -M 90 -W 10 <username>
will set the account of username to expire every 90 days and issue a
warning that the password is going to expire 10 days in advance. This
command actually edits the /etc/shadow file to produce the desired results.
The pam_cracklib module documentation can be found at:
http://www.kernel.org/pub/linux/libs/pam/Linux_PAM_html/pam_6.html#ss6.3
On a Red Hat 6.2 box the reference to the cracklib module goes in
/etc/pam.d/passwd. On a Red Hat 7.1 box it goes in /etc/pam.d/system-auth.
I can't tell you what may or may not be different on other distros. The
documentation isn't the most intuitive or clear, and if you have a specific
question about how to set this up after you read through it, please post or
write me again.
Also, one caution if you are doing this on a Red Hat 7.1 box. authconfig
overwrites the /etc/pam.d/system-auth file every time it runs, yet it can't
deal with cracklib. (Yeah, I know, it's stupid.) You will need to disable
or uninstall authconfig and do your editing manually. Otherwise you run
the danger of your work disappearing, along with all those nice
restrictions you set up.
Regards,
Caity
More information about the Techtalk
mailing list