Linux User Acccount Security Settings: How to ??

Author : Sanjay K

How to enable Account Password History

Step 1 - Create /etc/security/opasswd file user and group should be root and permission 600/

Step 2 - open /etc/pam.d/system-auth file and put the remember=
[root@oc3716188470 pam.d]# cat /etc/pam.d/system-auth
auth       required
auth       required likeauth nullok try_first_pass
auth       required
account    required
password   required min=disabled,8,8,8,8 passphrase=0 enforce=users
password   sufficient remember=8 nullok use_authtok md5 shadow remember=7
password   required
session    required
session    required
session    optional
[root@oc3716188470 pam.d]#


How to enable Password Complexity
Open /etc/pam.d/system-auth and append this line my example say Forces users to use a password with a length of 8 characters, at least 1 lower-case, 1 upper-case, 2 digits and 1 special character.

password required minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=4


How to enable Account Lockout after 3 failed login.

Open /etc/pam.d/system-auth and append this line.

aauth       required onerr=fail no_magic_root

account     required deny=3 no_magic_root reset

The options used above are described below:


    If something strange happens, such as unable to open the file, this determines how the module should react.


    This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for            daemon-launched services, like telnet/rsh/login.

    deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.

    The reset option instructs the module to reset count to 0 on successful entry.


How to enable Password Expiry

# Password aging controls:
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.

Post a Comment