Use the CrackLib [Recipe 9.2] module of PAM, pam_cracklib, to test and enforce password strength requirements automatically. In some Linux distributions such as Red Hat 8.0, this feature is enabled by default. passwd and other PAM-mediated programs will complain if a new password is too short, too simple, too closely related to the previous password, etc.
You can adjust password strength and other variables by editing the
parameters to the pam_cracklib module in
/etc/pam.d/system-auth. For example, to increase
the number of consecutive times a user can enter an incorrect
password, change the retry
parameter from its
default of 3:
password required /lib/security/pam_cracklib.so retry=3
PAM allows recursion via the pam_stack module—that is, one PAM module can invoke another. If you examine the contents of /etc/pam.d, you will find quite a number of modules that recursively depend on system-auth, for example. This lets you define a single, systemwide authentication policy that propagates to other services.
Red Hat 8.0 has a sysadmin utility, authconfig , with a simple GUI for setting system authentication methods and policies: how authentication is performed (local passwords, Kerberos, LDAP), whether caching is done, etc. authconfig does its work by writing /etc/pam.d/system-auth. Unfortunately, it does not preserve any customizations you might make to this file. So, if you make custom edits as described above, beware using authconfig—it will erase them!
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.