‘ve created a unique default group for each user and also used Linux groups to enhance security. Further a group called “users” allowed to login via ssh. However, I need to enforce password quality-control for all users. How do I create a password policy and enforce its use under CentOS or RHEL 5.x server operating systems?

You can use PAM (Pluggable Authentication Modules) to configure a simple password strength checking and password changing policies for all users. /etc/pam.d/system-auth provides important settings for system authentication.

  1. pam_cracklib – It is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
  2. pam_passwdqc – This module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the “password” feature.
  3. pam_chauthtok() – Service function may ask the user for a new password, and verify that it meets certain minimum standards. If the chosen password is unsatisfactory, the service function returns PAM_AUTHTOK_ERR.

Setup Strength Checking For Passwords

The default pam_cracklib PAM module provides strength-checking for passwords. It rejects the password if any one of the following conditions found:

  • Palindrome – Is the new password a palindrome of the old one?
  • Case Change Only – Is the new password the the old one with only a change of case?
  • Similar – Is the new password too much like the old one?
  • Simple – Is the new password too small?
  • Rotated – Is the new password a rotated version of the old password?
  • Already used – Was the password used in the past? Previously used passwords are to be found in /etc/security/opasswd.
WARNING! These examples may crash your computer if executed. Be careful when making changes to PAM’s configuration files. Make sure you first test all options using the sandbox environment.

How To Use pam_passwdqc – Password Quality-control PAM Module

Edit the file /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /root/backup/system-auth
# vi /etc/pam.d/system-auth

Find the line:

password    requisite     pam_cracklib.so try_first_pass retry=3

and replace it with the following line:

password    requisite    pam_passwdqc.so min=disabled,disabled,12,8,7 retry=3


See the help file /usr/share/doc/pam_passwdqc-1.0.2/README and the man page pam_passwdqc for detailed configuration options.

How Do I Lockout User Accounts?

You need to use the pam tally2 PAM module which provides the capability to lock out user accounts after a number of failed login attempts.


} else {