4.4.2.2.1 Ensure pam_pwquality module is enabled

Information

The pam_pwquality.so module performs password quality checking. This module can be plugged into the password stack of a given service to provide strength-checking for passwords. The code was originally based on pam_cracklib module and the module is backwards compatible with its options.

The action of this module is to prompt the user for a password and check its strength against a system dictionary and a set of rules for identifying poor choices.

The first action is to prompt for a single password, check its strength and then, if it is considered strong, prompt for the password a second time (to verify that it was typed correctly on the first occasion). All being well, the password is passed on to subsequent modules to be installed as the new authentication token.

Use of a unique, complex passwords helps to increase the time and resources required to compromise the password.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth:

Add the following line to the password section:

password requisite pam_pwquality.so try_first_pass local_users_only

Example password section:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 #<- added pam_pwquality.so line
password required pam_pwhistory.so remember=24 enforce_for_root try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so

Note: the use_authtok option should exist on all password lines except the first entry and the pam_deny.so line

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: cbcc7554c094e330ec99e1b38512e467c541c8e913cf9c27ed1f7af66da0dc6c