Check user passwords
Joe Engressia, Sunday, September 14, 2008You can be configured to verify that passwords (read as weak password) cannot be guessed easily using Linux PAM module called pam_cracklib.so. It will check the passwd against dictionary words. User is not allowed to set new password until and unless conditions satisfied (i.e. weak password is not allowed).
Open password configuration file according to your Linux distribution. And make modification as follows.
Redhat/Fedora/CentOS Linux
cracklib PAM module is installed by default so no need to install anything. Just open config file:
# vi /etc/pam.d/system-auth
Append/modify as follows:
password required /lib/security/pam_cracklib.so retry=2 minlen=10 difok=6
Debian or Ubentu Linux
First install libpam-cracklib PAM module to enable cracklib support.
# apt-get install libpam-cracklib
or
$ sudo install libpam-cracklib
Now open config file:
# vi /etc/pam.d/system-auth
Append/modify as follows:
password required pam_cracklib.so retry=2 minlen=10 difok=6
Save and close the file
Where,
retry=2 : Prompt user at most 2 times before returning with error
minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option.
difok=6: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one
You can also apply following options to compute the 'unsimplicity' of the password.
dcredit=N : Digits characters
ucredit=N : Upper characters
lcredit=N : Lower characters
ocredit=N : Other characters
Please note that restrictions are only applied to normal users (not to root user).
Comments :
Post a Comment