Sunday, April 15, 2018

security - How do I enforce a password complexity policy?




I need to configure an Ubuntu server to follow a strict company password policy that specifies the following:




  • at least one upper case

  • at least one lower case

  • at least one digit

  • at least one special character




I've had a look around and all I have found is the instructions for specifying the password length; but, I have yet to find something that relates to specifying the content of the password regarding the above points.



Any help would be appreciated.



Password complexity is enforced by the pam_cracklib module.



In order to modify the password policy for your local machine, you will need to modify your /etc/pam.d/common-password file.



From a terminal window (Ctrl+Alt+T), enter the following command:




sudo -i gedit /etc/pam.d/common-password


Add the following line to the file (before pam_unix.so or whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:



password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1


This statement implements the following password requirements:





  • dcredit == digit

  • ucredit == upper-case character

  • lcredit ==lower-case character

  • ocredit == other character (special characters, including ! , @ # $ %)



This should satisfy your requirements.



You could also use the variables minlength and retries to further restrict the password requirements.




Here is another good example of modifying a password policy in this manner would be placing the following line in the /etc/pam.d/common-password file:



password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1


This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.



This sets the requirement for users to have a minimum of three characters different from the last password.




This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.



See also this article on setting up stronger password policy rules in linux.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...