New into Enterprise Linux 7 which includes CentOS 7, Red Hat 7 and Scientific Linux 7 is the ability to create and manage password policies. Yes, you can become all powerful and start setting the quality of password used; no more Password1 and so on. These policies make good use of the PAM module pam_pwquality.so. In EL 7, this module replaces the original pam_cracklib.so.
pam_pwquality.so replaces pam_cracklib.so
The new PAM module is enabled in the file /etc/pam.d/system-auth so that when password changes are implemented the password is compared against the policy that we create in the /etc/security/pwquality.conf. As a simple test we can use the command pwscore to evaluate a potential passwords without having to change passwords. The quality of the password is evaluated so we can start to understand better passwords. So you will need to know how to use this module.
Configuring Password Policies
Entries in the pwquality file can include the following examples:
- difok =3 Where we say we need a minimum of 3 different characters in a new password when compared against the current password
- minlen = 8 Where we require a password length of a minimum of 8 characters
- ucredit = -1 Where we require a least 1 upper case letter
- lcredit = -1 Where we require at least 1 lower case letter
- dcredit = -1 Where we require at least 1 number
- ocredit = -1 Where we require at least 1 non-alphanumeric character
- minclass = 2 States that we need at least 2 classes or characters: )upper, lower, digit and other)
- maxrepeat = 3 Where we reject passwords that have occurrences a 4 or more repeating identical characters
- maxclassrepeat = 2 Where we reject passwords that have 3 or more consecutive characters of the same class
The video steps you through the process: