How to configure password complexity for all users including root using pam_passwdqc.so

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • pam_passwdqc.so

Issue

  • How to configure password complexity for all users including root using passwdqc
  • Is it possible to configure/apply password complexity for all users including root using pam_cracklib module?
  • Which module should I use to configure password complexity for root user ?
  • Configure password complexity for root and other users using pam_passwdqc
  • PAM pam_cracklib.so restrictions in password definition are not being forced (getting applied) to root account
  • Use PAM module pam_passwdqc.so to meet specific password strength criteria
  • Enforce password policies for root user using passwdqc.

Resolution

  • By default, Red Hat Enterprise Linux uses the cracklib module to check password strength. However, the cracklib module doesn't enforce password strength checking on the "root". To enforce password checking for all accounts including the root user, another PAM module called passwdqc can be used instead of cracklib module.

  • Module pam_passwdqc.so is provided by pam_passwdqc package in Red Hat Enterprise Linux:

# rpm -qf /lib64/security/pam_passwdqc.so
pam_passwdqc-1.0.5-6.el6.x86_64
  • Modify the /etc/pam.d/system-auth file as follows:
    Change the following line from:
password    requisite     pam_cracklib.so try_first_pass retry=3

to:

password    requisite     pam_passwdqc.so min=disabled,12,8,6,5 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3
  • The passwdqc module uses different password checking options to the cracklib module. For detailed information on how to modify the behaviour of the passwdqc module, please refer to the man page of pam_passwdqc:
# man pam_passwdqc
  • Note that the passwdqc and cracklib modules perform similar functions, and should not be used in the same PAM configuration file. It also cannot enforce password strength checking during the installation process of Red Hat Enterprise Linux.

  • If configuring on a Red Hat Enterprise Linux 6 or above, /etc/pam.d/password-auth file need to be modified as well.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

4 Comments

What about RHEL 7?

Hi, I have a doubt about to define minimum password length, I should change both files in /etc/pam.d/password-auth and in /etc/pam.d/system-auth? Or only in versions 6 and 7? And if in RHEL 5 only just should change /etc/pam.d/system-auth?

Thanks in advance!

How do I display the current settings for minimum password length, and required complexity, in RHEL6 ?

"If configuring on a Red Hat Enterprise Linux 6 or above, /etc/pam.d/password-auth file need to be modified as well."

https://access.redhat.com/solutions/45492

Resolution

There is a note about it in the Migration Guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/migration_planning_guide/sect-migration_guide-security_authentication-pam

"The PAM module for sshd and other remote services such as ftpd now include the /etc/pam.d/password-auth file in Red Hat Enterprise Linux 6 instead of /etc/pam.d/system-auth. "