Hello,

Trying to setup/enforce a password policy.

Want to require users to enter an 8 character password with 1 numeric and 1 special character, 90 day expiration, 120 day inactivity, 3 try lockout.

Have looked at PAM in an attempt to setup some of the initial password requirements (8 char, 1 digit, 1 special) but can't seem to get any of it working. Tried making changes to /etc/pam.d/passwd and /etc/pam.d/system-auth using cracklib with the various credit parameters as specified in the PAM documentation but can't seem to get it to work.

Also can't seem to find thorough documentation on the xcredit parameters, or for system-auth.

Any suggestions/pointers would be appreciated.

Thanks

what does PAM have to do with password security? , maybe you could write a script that people could use to make there passwords with, or modify the program that sets the passwords to check for you requirements

I believe PAM is documented to provide services regarding the password itself. I tried adding the following line to /etc/pam.d/password and /etc/pam.d/system-auth...

password required /lib/security/pam_cracklib.so dcredit=-1 ocredit=-1 minlen=8

This is supposed to require a password with at least 1 digit and 1 "other" character, with a minimum length of 8 characters - if I am reading the documentation correctly.

Trying to do the same think with RH Enterprise 3 and having about the same amount of success trying to configure the system-auth file. I too would love some help. While I don't mind working at the command line, I would have thought that RH might have made this a bit easier all things considered.

I think some of this is done through the shadow file. If you use X and go to System Settings=>Users and Groups=>select a user=>Password Info you will see some entrys for password aging. Changing this GUI modifies the /etc/shadow file. I would like to know if there is a command line utility to do this, or if it is considered good practice to modify /etc/shadow using vi or some other editor. But this only effects password aging and not password content.

To make modifications to the /etc/shadow file, you can use the usermod command.
Eventhough you are allowed to modify the shadow file manually, I encourage you to use the usermod command.

In order to implement all the above mentioned login rules for new users, you will need to modify the /etc/login.defs file.

Also, the /etc/skel/ directory contains default configuration files which will be copied to a new users HOME directory.
And if you want to add login scripts or other custom configuration settings which will be applied to all users at log-on, you can add them to the /etc/profile.local file.

Thanks Mathieu.

Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?

Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?
Could block 'em off using pam_tally.

I think you are not reading documentation correctly. minlen is minimal numbe of credits. It is also not sure what do you mean by "not working".. does system accepts passworsd that it should not? Or your aparently valid passowrd is rejected?

Necroposting, the practice of responding to a thread that died a long time ago, is in this case not that useful. As the OP left several years ago. Please choose where you post carefully. Thread closed.