Information
The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.
try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
retry=3 - Allow 3 tries before sending back a failure.
minlen=14 - password must be 14 characters or more
** Either of the following can be used to enforce complex passwords:**
minclass=4 - provide at least four classes of characters for the new password
OR
dcredit=-1 - provide at least one digit
ucredit=-1 - provide at least one uppercase character
ocredit=-1 - provide at least one special character
lcredit=-1 - provide at least one lowercase character
The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies
Rationale:
Strong passwords protect systems from being hacked through brute force methods.
Solution
Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy
minlen = 14
Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy
minclass = 4
OR
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
Run the following script to update the system-auth and password-auth files
#!/usr/bin/env bash
for fn in system-auth password-auth; do
file='/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn'
if ! grep -Pq -- '^h*passwordh+requisiteh+pam_pwquality.so(h+[^#
r]+)?h+.*enforce_for_rootb.*$' '$file'; then
sed -ri 's/^s*(passwords+requisites+pam_pwquality.sos+)(.*)$/12 enforce_for_root/' '$file'
fi
if grep -Pq -- '^h*passwordh+requisiteh+pam_pwquality.so(h+[^#
r]+)?h+retry=([4-9]|[1-9][0-9]+)b.*$' '$file'; then
sed -ri '/pwquality/s/retry=S+/retry=3/' '$file'
elif ! grep -Pq -- '^h*passwordh+requisiteh+pam_pwquality.so(h+[^#
r]+)?h+retry=d+b.*$' '$file'; then
sed -ri 's/^s*(passwords+requisites+pam_pwquality.sos+)(.*)$/12 retry=3/' '$file'
fi
done
authselect apply-changes
Additional Information:
all default authselect profiles have pam_pwquality enabled with the expectation that options will be specified in pwquality.conf