This will be a brief blog post on how to use pam module on CentOS or Red hat 6.x to enforce password complexity and account lockout, the account locking will also be enabled through ssh.
You can use passwdqc (which is no longer supported on RHEL7) or cracklib pam module to enforce the password complexity, the latter is the more known and popular so I will focus on it.
There is two file that need to be configured: /etc/pam.d/password-auth-ac and : /etc/pam.d/system-auth-ac.
For account locking there is a module named pam_tally2.so that can be invoked to lock a user account after some failed login attempts and then unlock it after a certain period of time. So let’s keep things simple without going into the details because pam configuration can be tricky and need more than one blog post.
Configuring account locking
This will be applied during ssh login and when switching account using su –,remember, any change need to be done on both file password-auth-ac and system-auth-ac.
Add the following line as the first line on the auth section
auth requisite pam_tally2.so deny=5 unlock_time=900 magic_root
Then add the following line and the first line on the auth section on the /etc/pam.d/sshd configuration file:
auth requisite pam_tally2.so deny=5 unlock_time=900
You don’t need to change anything on /etc/ssh/ssd_config, just ensure that the UsePAM is set to yes which is the default configuration.
- deny=5 will lock the user after 5 unsuccessful login attempts
- unlock_time=900 will unlock the user after 15 minutes
Password complexity and history
Add the following line as the first line on the password section
password requisite pam_cracklib.so try_first_pass retry=3 debug minlength=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 reject_username minclass=4 difok=4
Here is a quick explanation for the cracklib configuration:
- minlength=16: the is the minimum password length, and this length is provided by credit score from lcredit, ucredit, dcredit, ocredit variables +1
- lcredit=-1: at least 1 lower case
- ucredit=-1: at least 1 upper case
- dcredit=-1: at least 1 digit
- ocredit=-1: at least 1 special character
- maxrepeat=3: reject a password which contain more than X same consecutive characters
- reject_username : doesn’t need explanation I think!
- minclass=4: the minimum number of character to use on the new password
- difok=4: how many character should be changed for the new password to be considered a new one
Then add the following line after it:
password requisite pam_pwhistory.so use_authtok remember=12
This will force 12 password to be remembered.
Use man pam_cracklib or man pam_pwhistory to get more details about the configuration directives.
Checking and unlocking user account
You can check if the account is locked by using pam_tally2 –u username
To unlock a user use: pam_tally2 -r–u username