{"id":2403,"date":"2019-03-22T17:26:29","date_gmt":"2019-03-22T14:26:29","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2403"},"modified":"2019-03-22T17:26:29","modified_gmt":"2019-03-22T14:26:29","slug":"enforce-password-complexity-policy-on-centos-7-rhel-derivatives","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enforce-password-complexity-policy-on-centos-7-rhel-derivatives\/","title":{"rendered":"Enforce Password Complexity Policy On CentOS 7\/RHEL Derivatives"},"content":{"rendered":"<p>In this guide, we are going to learn how to enforce password complexity policy on CentOS 7\/RHEL based derivatives. Our previous guide covered the enforcement of password complexity on Ubuntu 18.04. You can check the same by following the link below;<\/p>\n<ul>\n<li class=\"entry-title td-module-title\"><a title=\"Enforce Password Complexity Policy On Ubuntu 18.04\" href=\"https:\/\/kifarunix.com\/enforce-password-complexity-policy-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"bookmark noopener\">Enforce Password Complexity Policy On Ubuntu 18.04<\/a><\/li>\n<\/ul>\n<h3>Enforce Password Complexity Policy On CentOS 7<\/h3>\n<p>Similar to our previous guide, we are going to use PAM <code>pwquality<\/code> modules to enforce password complexity policy on CentOS 7\/RHEL based derivatives.<\/p>\n<p>In Ubuntu or Debian based derivatives, we modified the,<code> \/etc\/pam.d\/common-password<\/code> configuration file. For CentOS 7 or similar derivatives, the <code>\/etc\/security\/pwquality.conf<\/code> or <code>\/etc\/pam.d\/system-auth<\/code> configuration file is used.<\/p>\n<p>As our normalcy, make a backup of the configuration file before making changes just in case things go south.<\/p>\n<pre>cp \/etc\/security\/pwquality.conf \/etc\/security\/pwquality.conf.original<\/code><\/pre>\n<pre>cp \/etc\/pam.d\/system-auth \/etc\/pam.d\/system-auth.original<\/code><\/pre>\n<p>Open the configuration file for editing.<\/p>\n<pre>vim \/etc\/pam.d\/system-auth<\/code><\/pre>\n<p>Locate the line containing the <code>pam_pwquality.so<\/code> modules;<\/p>\n<pre>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=<\/code><\/pre>\n<p>Comment the line and replace by the line below;<\/p>\n<pre>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= <strong>minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root<\/strong><\/code><\/pre>\n<p>Where:<\/p>\n<ul>\n<li><strong><code>minlen=8<\/code><\/strong>&#8211; sets the minimum password length to 8 characters.<\/li>\n<li><strong><code>lcredit=-1<\/code><\/strong> -Sets the minimum number of lower case letters that the password should contain to at least one<\/li>\n<li><strong><code>ucredit=-1<\/code><\/strong>-Sets the minimum number of upper case letters on a password to at least one.<strong><br \/>\n<\/strong><\/li>\n<li><strong><code>dcredit=-1<\/code><\/strong> &#8211; Sets the minimum number of digits to be contained in a password to at least one<\/li>\n<li><strong><code>ocredit=-1<\/code><\/strong> &#8211; Set the minimum number of other symbols such as @, #, ! $ % etc on a password to at least one<\/li>\n<li><strong><code>enforce_for_root<\/code><\/strong> &#8211; Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced.<\/li>\n<\/ul>\n<p>You can also achieve the same by using the <code>authconfig<\/code> command line utility as shown below;<\/p>\n<pre>authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --passmaxrepeat=3 --update<\/code><\/pre>\n<p>The above command basically ensures that password should have at least (in the respective order);<\/p>\n<ul>\n<li>one lower case letter<\/li>\n<li>one upper case letter<\/li>\n<li>one digit<\/li>\n<li>an alphanumeric character.<\/li>\n<li>8 characters in length<\/li>\n<li>no more than 3 characters similar to the previous password.<\/li>\n<\/ul>\n<p>The changes will updated on <code>\/etc\/security\/pwquality.conf<\/code>.<\/p>\n<pre>tail \/etc\/security\/pwquality.conf\r\n# Path to the cracklib dictionaries. Default is to use the cracklib default.\r\n# dictpath =\r\nminlen = 8\r\nminclass = 1\r\nmaxrepeat = 3\r\nmaxclassrepeat = 0\r\nlcredit = -1\r\nucredit = -1\r\ndcredit = -1\r\nocredit = -1<\/code><\/pre>\n<p>Note that root or any user with sudo rights can always set any password irrespective of the enforced policies. However, to ensure that the password complexity policies applies to both root and user with sudo, you must append the <strong><code>enforce_for_root<\/code><\/strong> option to the line below on <code>\/etc\/pam.d\/system-auth<\/code>.<\/p>\n<pre>password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= <strong>enforce_for_root<\/strong><\/code><\/pre>\n<h3>Testing Password Enforcement Policy<\/h3>\n<p>As a root user, try to change the password of a user with a password that doesn&#8217;t meet the set credentials.<\/p>\n<pre>[root@Cent7 ~]# passwd amos\r\nChanging password for user amos.\r\nNew password: @moskifaru1\r\nBAD PASSWORD: The password contains less than 1 uppercase letters\r\nNew password: @mosKifaru\r\nBAD PASSWORD: The password contains less than 1 digits\r\nNew password: mosKifaru1\r\nBAD PASSWORD: The password contains less than 1 non-alphanumeric characters\r\npasswd: Have exhausted maximum number of retries for service<\/code><\/pre>\n<p>Test using a more complex password; @mosKifaru1<\/p>\n<pre>[root@Cent7 ~]# passwd amos\r\nChanging password for user amos.\r\nNew password: @mosKifaru1\r\nRetype new password: @mosKifaru1\r\npasswd: all authentication tokens updated successfully.<\/code><\/pre>\n<p>That is all about how to enforce password complexity policy on CentOS 7. Enjoy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to enforce password complexity policy on CentOS 7\/RHEL based derivatives. Our previous guide covered the enforcement<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[352,34],"tags":[88,356],"class_list":["post-2403","post","type-post","status-publish","format-standard","hentry","category-password-policies","category-security","tag-centos-7","tag-pam_pwquality","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2403"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2403"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2403\/revisions"}],"predecessor-version":[{"id":2411,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2403\/revisions\/2411"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}