Author : Sanjay K
How to enable Account Password History
===========================
Step 1 - Create /etc/security/opasswd file user and group should be root and permission 600/
Step 2 - open /etc/pam.d/system-auth file and put the remember=
[root@oc3716188470 pam.d]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_shells.so
auth required pam_unix.so likeauth nullok try_first_pass
auth required pam_nologin.so
#
account required pam_unix.so
#
password required pam_passwdqc.so min=disabled,8,8,8,8 passphrase=0 enforce=users
password sufficient pam_unix.so remember=8 nullok use_authtok md5 shadow remember=7
password required pam_deny.so
#
session required pam_limits.so
session required pam_unix.so
session optional pam_console.so
[root@oc3716188470 pam.d]#
==================================
How to enable Password Complexity
==================================
Open /etc/pam.d/system-auth and append this line my example say Forces users to use a password with a length of 8 characters, at least 1 lower-case, 1 upper-case, 2 digits and 1 special character.
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=4
==================================
How to enable Account Lockout after 3 failed login.
==================================
Open /etc/pam.d/system-auth and append this line.
aauth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so deny=3 no_magic_root reset
The options used above are described below:
onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react.
no_magic_root
This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
reset
The reset option instructs the module to reset count to 0 on successful entry.
=======================
How to enable Password Expiry
=======================
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7
0 Comments