Red Hat Security: Linux in Physical, Virtual, and Cloud
Many organizations require user passwords to comply with a particular set of rules, which often define the password length or character types. On Red Hat Enterprise Linux, you can use PAM to enforce these security policies and recommended practices.
When a user attempts to change their password through an open application session, PAM uses the rules in the password management group.
The following examples show the password management group rules from files in the /etc/pam.d/ directory:
[root@host ~]#grep ^password /etc/pam.d/sshdpassword include password-auth [root@host ~]#grep ^password /etc/pam.d/loginpassword include system-auth
From the example, the sshd and login login sessions use include calls to either the system-auth or password-auth files.
The password rules in the password-auth and system-auth files are the same.
Note
The authselect tool automatically generates the files in the /etc/pam.d directory based on the selected authselect policy.
If a configuration file notes that the authselect tool generated it, then do not manually edit the file, because edits might be overwritten when the authselect tool next runs.
Inspect the /etc/pam.d/system-auth file.
[root@host ~]# grep ^password /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.soPAM rules are parsed and executed from top to bottom.
When a user attempts to change their password, PAM calls the requisite pam_pwquality.so entry first.
The pam_pwquality module takes the new password that the user provides, compares it with a dictionary in the /usr/share/cracklib/ directory, and checks it for patterns and easily guessed combinations.
By default, the pam_pwquality module expects passwords to be longer than eight characters.
Because the module is called with a requisite controller, if the password is deemed not compliant, then the password change immediately stops and control returns to the application that initiated the PAM call.
No further PAM rules are inspected.
If the user passes the pam_pwquality check, then PAM executes the sufficient pam_unix.so rule.
In the password management group, the pam_unix rule updates the user's password in various back-end storage mechanisms, such as the /etc/passwd file or the /etc/shadow file.
Because the pam_unix rule uses the sufficient controller, if the rule successfully updates the user's password, then PAM closes and passes control back to the application that called it.
PAM reviews the required pam_deny.so rule only if the sufficient pam_unix.so rule fails to update the user's password.
The pam_deny rule always returns a failure result.
Because the pam_deny rule is required, PAM returns an overall failure to the application that attempts to change the user's password.
To configure the requirements for password complexity, edit the /etc/security/pwquality.conf file.
You can add configuration files in the /etc/security/pwquality.conf.d/ directory.
Entries in additional files overwrite the entries in previously loaded files.
Important
In earlier RHEL versions than Red Hat Enterprise Linux 8, manually editing the /etc/pam.d/system-auth and /etc/pam.d/password-auth files was the preferred configuration method.
In Red Hat Enterprise Linux 8 and later versions, you can apply changes that would be configured in those files by selecting the authselect profile that meets your needs.
The /etc/security/pwquality.conf file contains a list of options that can be set to positive or negative values to achieve specific effects on password requirements:
-
minlen This value is the minimum length for a password. By default, all characters contribute one to the overall length score. However, with the credit system, an administrator can give some character types more value, and thus fewer overall characters are required to meet the same length.
-
lcredit This value is the amount of credit that lowercase characters contribute to password length. If you set this value to a negative number, then the value specifies the minimum number of lowercase characters.
-
ucredit This value is the amount of credit that uppercase characters contribute to password length. If you set this value to a negative number, then the value specifies the minimum number of uppercase characters.
-
dcredit This value is the amount of credit that digits contribute to password length. If you set this value to a negative number, then this value specifies the minimum number of digit characters.
-
ocredit This value is the amount of credit that other characters contribute to password length. Other characters are symbols and all the characters that are not included in lowercase, uppercase, and digit. If you set this value to a negative number, then the value specifies the minimum number of other characters.
You can combine the different length and complexity requirements with the pam_pwquality module.
The chosen combination depends on the security policy or password policy of your organization.
You can create minimum requirements for different character classes by using negative values in the /etc/security/pwquality.conf configuration file.
Consider the following example policy:
Passwords must be a minimum of eight characters.
Passwords must contain at least one uppercase character.
Passwords must contain at least two digits.
Passwords must contain at least one special character.
To implement this policy, edit the /etc/security/pwquality.conf file to set the following parameters:
[root@host ~]# vim /etc/security/pwquality.conf
minlen = 8
lcredit = 0
ucredit = -1
dcredit = -2
ocredit = -1Negative values indicate the minimum number of characters for each class.
The default value for each entry is listed in the /etc/security/pwquality.conf file.
Although password policies such as the previous one are widespread, they can be a source of frustration for users, who must create and remember passwords with complex combinations of different classes of characters. One solution is to use a variable password requirement. With variable password requirements, a user can create a long password with few or no special characters, or a shorter password with many special characters.
Note
A 2011 study by Carnegie Mellon University and the United States National Institute of Standards and Technology (NIST) found that requiring users to create longer passwords, with no additional requirements for complexity or variation of types of characters in the passwords, produced passwords with more entropy that were easier for users to remember and create.
Saranga Komanduri et al. "Of Passwords and People: Measuring the Effect of Password-Composition Policies." In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Association for Computing Machinery. May, 2011. https://doi.org/10.1145/1978942.1979321
Later studies corroborate the 2011 study, such as a 2016 study by Carnegie Mellon researchers.
Richard Shay et al. "Designing Password Policies for Strength and Usability." Association for Computing Machinery. May, 2016. https://doi.org/10.1145/2891411
The pam_pwquality credit mechanism is an implementation of variable password requirements, and is triggered when the credit parameters have positive values.
When the credit mechanism is enabled, the minlen parameter functions as a quality level that the password must reach for the module to accept it:
The password earns one point for each character.
An additional credit is given for each lowercase character, up to the value of the
lcreditparameter.An additional credit is given for each uppercase character, up to the value of the
ucreditparameter.An additional credit is given for each digit, up to the value of the
dcreditparameter.An additional credit is given for each other character, up to the value of the
ocreditparameter.
If the resulting score is equal to or above the minlen parameter, then the password is accepted.
The following /etc/security/pwquality.conf configuration file uses the password credit mechanism:
[root@host ~]# cat /etc/security/pwquality.conf
minlen = 18
lcredit = 1
ucredit = 1
dcredit = 2
ocredit = 5With the configuration in the previous example, the following table shows how different passwords relate to the configuration:
| Password | Length | Credit | Status |
|---|---|---|---|
passwordlowercase
| 17 |
| Pass |
WithFourUpperChr
| 16 |
| Pass |
withaspecialch!
| 15 |
| Fail |
!with-o?char.
| 13 |
| Pass |
Sco:10+1=11
| 11 |
| Pass |
References
The authselect(8), pam_pwquality(8), and pwquality.conf(5) man pages
For more information, refer to Set Password Policy & Complexity for RHEL 8 & 9 via pam_pwhistory, pam_pwquality & pam_faillock at https://access.redhat.com/solutions/5027331
For more information about the authselect tool, refer to the Configuring User Authentication Using authselect documentation at https://access.redhat.com/documentation/es-es/red_hat_enterprise_linux/9/html-single/configuring_authentication_and_authorization_in_rhel/index#configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel
