Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
  • Authselect Configuration

    Posted on

    Hi all,

    I was recently in the situation of needing to configure password complexity rules for a RHEL 8 instance and ran up against authselect replacing authconfig. In the past, if I wanted to set password complexity requirements I could simply run:

    authconfig --passminlen=16 --update
    

    Not a problem to automate and chains nicely with lots of other complexity requirements like mandating a minimum number of upper, lower, digit and special characters. With RHEL 8/9 though I need to use authselect which is.... not so simple:

    PROFILE="hardened"
    authselect create-profile ${PROFILE} -b sssd
    authselect select custom/${PROFILE}
    sed -iE "s/pam_pwquality.so local_users_only$/& minlen=16/g" /etc/authselect/custom/${PROFILE}/password-auth /etc/authselect/custom/${PROFILE}/system-auth
    authselect apply-changes
    

    And of course that's just for the password length. If I want to set account locks after x number of failed passwords then I need another command for interacting with pam_tally2.so and another one for configuring password history settings with pam_pwhistory.so and of course everything needs to be duplicated in both system-auth and password-auth of whatever authselect profile you're using. Not to mention the whole thing is reliant on a sed command which will only work if the file hasn't been changed and any automation via Ansible will be further complicated because now I have to build in change logic to detect if the complexity reuirements already exist before attempting to add it...

    My point is, is there a better way of doing this in RHEL 8/9? Authconfig was such a simple and elegant solution for configuring password requirements and authselect... isn't. Is there an alternative tool or best practice for setting password complexity requirements that doesn't rely on directly modifying pam files via sed in 8/9?

    by

    points

    Responses

    Red Hat

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.