Linux password security
Introduction
This artile briefly describes ways to enforce Linux password security.
Password expiry
Expiry defaults
We can manage the password expiry by editing /etc/login.defs. The settings below are relevant:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
These values set the following expiration options:
- PASS_MAX_DAYS: Maximum number of days a password may be used.
- PASS_MIN_DAYS: Minimum number of days allowed between password changes.
- PASS_MIN_LEN: Minimum acceptable password length.
- PASS_WARN_AGE: Number of days warning given before a password expires.
Force password change on next logon
To force a user to change the password on next logon run the following command:
passwd --expire <username>
Check password settings for a user
Next we check the password expiration for the user:
# chage -l <username> Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
Password complexity options
The password complexity is configured using PAM. The settings can be changed in /etc/pam.d/common-password. for Debian based systems and in /etc/pam.d/system-auth for RedHat based systems. On SuSE based systems you need to use pam-config in order to change the values. If you edit the configuration files directly changes will automatically be reverted back by the configuration tool
Deny password re-use
To avoid the user can re-use the same password over and over again Linux can keep track of the password history and specify the number of "old" passwords that cannot be reused. In the example below it's set to 5.
SuSE
pam-config -a --pwhistory-remember=5
Debian
vi /etc/pam.d/common-password password requisite pam_cracklib.so remember=5
Password minimum length
Longer passwords are safer. So it's a good idea to set a minimum lenght for the passwords users can choose. In the example below we set it to a minimum of 15 characters. SuSE
pam-config -a --cracklib --cracklib-minlen=15
Debian
vi /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15
Minimum number of upper- and lowercase characters
Making a password more complex is a good idea to keep hackers at bay. So we can force the users to choose passwords that at least concist of 1 upper- and 1 lowercase character (or more if desired): SuSE
pam-config -a --cracklib --cracklib-lcredit=-1 --cracklib-ucredit=-1
Debian
vi /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 lcredit=-1