in Linux Redhat

Password Complexity and Account Lockout

This will be a brief blog post on how to use pam module on CentOS or Red hat 6.x to enforce password complexity and account lockout, the account locking will also be enabled through ssh.
You can use passwdqc (which is no longer supported on RHEL7) or cracklib pam module to enforce the password complexity, the latter is the more known and popular so I will focus on it.

There is two file that need to be configured: /etc/pam.d/password-auth-ac and : /etc/pam.d/system-auth-ac.

For account locking there is a module named that can be invoked to lock a user account after some failed login attempts and then unlock it after a certain period of time. So let’s keep things simple without going into the details because pam configuration can be tricky and need more than one blog post.

Configuring account locking

This will be applied during ssh login and when switching account using su –,remember, any change need to be done on both file password-auth-ac and system-auth-ac.
Add the following line as the first line on the auth section

auth requisite deny=5 unlock_time=900 magic_root

Then add the following line and the first line on the auth section on the /etc/pam.d/sshd configuration file:

auth requisite deny=5 unlock_time=900

You don’t need to change anything on /etc/ssh/ssd_config, just ensure that the UsePAM is set to yes which is the default configuration.

  • deny=5 will lock the user after 5 unsuccessful login attempts
  • unlock_time=900 will unlock the user after 15 minutes

Password complexity and history

Add the following line as the first line on the password section

password requisite try_first_pass retry=3 debug minlength=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 reject_username minclass=4 difok=4

Here is a quick explanation for the cracklib configuration:

  • minlength=16: the is the minimum password length, and this length is provided by credit score from lcredit, ucredit, dcredit, ocredit variables +1
  • lcredit=-1: at least 1 lower case
  • ucredit=-1: at least 1 upper case
  • dcredit=-1: at least 1 digit
  • ocredit=-1: at least 1 special character
  • maxrepeat=3: reject a password which contain more than X same consecutive characters
  • reject_username : doesn’t need explanation I think!
  • minclass=4: the minimum number of character to use on the new password
  • difok=4: how many character should be changed for the new password to be considered a new one

Then add the following line after it:

password requisite use_authtok remember=12

This will force 12 password to be remembered.

Use man pam_cracklib or man pam_pwhistory to get more details about the configuration directives.

Checking and unlocking user account

You can check if the account is locked by using pam_tally2 –u username

linux locked account



To unlock a user use: pam_tally2 -r–u username
pam_tally2 unlock account