Home > System Administration > Setting PAM requirements for password complexity and lifecycle

Setting PAM requirements for password complexity and lifecycle

I had a fairly strict requirement at $work for a system that had the following password security requirements:

  • Minimum of 8 characters
  • Minimum of 2 different complexity classes
  • Password expires after 90 days
  • No reuse of the last 5 passwords AND no more than 1 password change per day
  • Temporary lockout after 5 failed attempts in 15 minutes, lockout to last for 15 minutes

Here’s how I solved it:


# cd /etc/pam.d
# cp system-auth-ac system-auth.local
# cp password-auth-ac password-auth.local

Modify both system-auth.local and password-auth.local to include pam_faillock and pam_cracklib. You should end up with something like:


auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root
auth sufficient pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 minclass=2 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so

Link the new files into place (to avoid authconfig from overwriting them):

# ln -sf system-auth system-auth.local
# ln -sf password-auth password-auth.local

Edit /etc/login.defs and change:

PASS_MAX_DAYS 99999 to PASS_MAX_DAYS 90
PASS_MIN_DAYS 0 to PASS_MIN_DAYS 1

Apply immediately to root:

# chage -M 90 root
# chage -m 1 root

Categories: System Administration Tags: