Password Rules and Aging ManagementAdded by IBM on November 30, 2011 | Version 1 (Original)
|The parameters for password rules and aging management are described here.
The parameters for password rules and aging management are described here.
Password rules are globally enforced using custom PAM module pam_passwd_mgmt.so
This module checks password strength for PAM-aware password changing programs, such as passwd. In addition to checking regular passwords, it offers support for password history and pass phrases, and can provide randomly generated passwords. All features are optional and can be reconfigured without rebuilding.
There are a number of supported parameters which can be used to modify the behavior of pam_passwd_mgmt. The table below lists and describes each; defaults are in brackets.
Table 1. Parameters to Modify Behavior of pam_passwd_mgmt
|min=N0,N1,N2,N3,N4||This parameter sets the minimum allowed password lengths for different kinds of passwords and pass phrases. The keyword "disabled" can be used to disallow passwords of a given kind regardless of their length. Each subsequent number is required to be no larger than the preceding one.|
N0 is used for passwords consisting of characters from one character class only. The character classes are digits, lowercase letters, uppercase letters, and other characters. There is also a special class for non-ASCII characters, which cannot be classified, but are assumed non-digits.Default: [min=disabled,24,12,8,7]
N1 is used for passwords consisting of characters from two character classes, which do not meet the requirements for a pass phrase.
N2 is used for pass phrases. A pass phrase must consist of sufficient words (see the "pass phrase" option below).
N3 is used for passwords consisting of characters from three character classes.
N4 is used for passwords consisting of characters from four character classes.
When calculating the number of character classes, uppercase letters used as the first character and digits used as the last character of a password are not counted.
In addition to being long enough, passwords are required to contain:
Enough different characters for the character classes
The minimum length they have been checked against
|max=N||This parameter sets the maximum allowed password length. This can be used to prevent users from setting passwords which may be too long for some system services.|
The value 8 is treated differently. With max=8, passwords longer than 8 characters are not rejected, but are truncated to 8 characters for the strength checks; the user will be warned. This is to be used with the traditional DES-based password hashes, which truncate the password at 8 characters.
It is important that max=8 be set if traditional hashes are used; otherwise, some weak passwords pass the checks. Stronger encryption algorithms, such as MD5 or Blowfish, are available by changing the default password encryption algorithm in /etc/security/policy.conf. With the stronger password encryption algorithm, password longer then 8 characters are not truncated.
For example, to use Blowfish as the password encryption algorithm set the variable CRYPT_DEFAULT=2a in /etc/security/policy.conf.
|passphrase=N||This parameter sets the number of words required for a pass phrase, or 0 to disable the support for pass phrases.|
|match=N||This parameter sets the length of common substring required to conclude that a password is at least partially based on information found in a character string, or 0 to disable the substring search. Note that the password is not rejected if a weak substring is found; it is instead subjected to the usual strength requirements with the weak substring removed. The substring search is caseinsensitive, and is able to detect and remove a common substring spelled backwards.|
|similar=permit|deny||This parameter specifies whether a new password can be similar to the old one. The passwords are considered to be similar when there is a sufficiently long common substring and the new password with the substring removed would be weak.|
|random=N [,only]||This parameter sets the size of randomly generated passwords in bits, or 0 to disable this feature. Passwords that contain the offered randomly-generated string are allowed regardless of other possible restrictions.|
The only modifier can be used to disallow user-chosen passwords.
|enforce=none|users| everyone||This parameter permits the module to be configured to warn of weak passwords only, but not actually enforce strong passwords. The users setting enforces strong passwords for invocations by non-root users only.|
|non-unix||This parameter enables and disables use of getpwnam(3) to obtain the user's personal login information and use that during the password strength checks.|
Default: non-unix 
|retry=N||This parameter sets the number of times the module requests a new password if the user fails to provide a sufficiently strong password and enter it twice the first time.|
|ask_oldauthtok=update| ||Ask for the old password as well. Normally, pam_passwd_mgmt leaves this task for subsequent modules. With no argument, the "ask_oldauthtok" option will cause pam_passwd_mgmt to ask for the old password during the preliminary check phase. With "ask_oldauthtok=update", pam_passwd_mgmt will do that during the update phase.|
|check_oldauthtok ||This tells pam_passwd_mgmt to validate the old password before giving a new password prompt. Normally, this task is left for subsequent modules.|
The primary use for this option is when "ask_oldauthtok=update" is also specified, in which case no other module gets a chance to ask for and validate the password. Of course, this will only work with Unix passwords.
Default: check_oldauthtok 
|Use the new password obtained by modules stacked before pam_passwd_mgmt. This disables user interaction within pam_passwd_mgmt. With this module, the only difference between "use_first_pass" and "use_authtok" is that the former is incompatible with "ask_oldauthtok".|
Default: use_first_pass , use_authtok 
|pw_iteration_nr=N||This parameter remembers the last N number of passwords and does not allow the user to use it again for the next N password changes. N is a number between 1 and 400.|
|pw_iteration_length=N||This parameter is the length in N days during which the password cannot be reused. N is number between 180 and 3650.|
Password aging rules are globally enforced by one of the following methods:
By accepting the defaults for accounts creation in /etc/login.defs, which indicate the password aging controls (used by useradd) listed in the table below.Table 2. Password Aging Control Parameters in /etc/login.defs
|PASS_MAX_DAYS=90||This parameter specifies the maximum number of days a password may be used.|
|PASS_MIN_DAYS=1||This parameter specifies the minimum number of days allowed between password changes.|
|PASS_WARN_AGE=7||This parameter specifies the number of days’ warning given before a password expires.|
|PASS_MIN_LEN=8||This parameter specifies the minimum length of a password.|
Additionally, the following command must be executed to require the user to change the password upon initial logon:
change -d 0 <username>
By using the passwd command, as follows:
Passwd -x 90 -n 1 -w 14 -i 30 <username>
In this command:
-x sets the maximum number of days before the expiration.
-n sets the minimum number of days before the next change.
-w sets the number of days of warning days before the expiration.
-i sets the login grace period after password expired before the account is locked.
Enforcing root password aging and expiration requires the AGE_ROOT
parameter in /etc/security/pam_login_auth.conf
to be enabled. When this parameter is enabled, the root user is prompted to change the password when it expires. However, it is recommended that this parameter be disabled.
Expiration of the root password does not lock the account. However, allowing it to expire breaks the public key-based internode access until a new password is specified.
Parent topic: PAM Framework