• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Enforce Password Complexity For All Users, Including “root”, By Using the “passwdqc” PAM Module CentOS/RHEL

by admin

This post outlines steps to configure password complexity for all the users, including root. The “pam_cracklib.so” PAM module does not check the password complexity for the “root” user by default. So to overcome that the “pam_passwdqc.so” module can be used to apply the restrictions for all the users, including “root”.

1. “pam_passwdqc.so” is provided by “pam_passwdqc” package.

# rpm -qf /lib64/security/pam_passwdqc.so
pam_passwdqc-1.0.5-8.el6.x86_64

2. Comment out “pam_cracklib.so” module line in /etc/pam.d/system-auth file and add “pam_passwdqc.so”. Remember, line order matters!

# password requisite pam_cracklib.so try_first_pass retry=3 type=    ### Comment out this line
password requisite pam_passwdqc.so enforce=everyone    ### Apply password restriction to all users

3. Test the password reset for root user.

# passwd
Changing password for user root.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the
classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character
classes used, unless disable_firstupper_lastdigit_check option is enabled.

A passphrase should be of at least 3 words, 11 to 40 characters long, and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can pick this as your password: "ambush!nail_buy".

Enter new password:

4. Refer “PAM_PASSWDQC” man page for more details and to tune the password complexity.

# man PAM_PASSWDQC
Note: – pam_cracklib.so & pam_passwdqc.so module provides similar password checking functionalities so both should not be used at same time.

Filed Under: CentOS/RHEL, CentOS/RHEL 6, CentOS/RHEL 7, CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. How to Create a New Directory in Linux
  2. How to Calculate Memory Usage in Linux using sar, ps, and free
  3. cp: command not found
  4. Unix file basics : Inode, Soft Vs Hard link, Device files, Named pipes
  5. vncviewer Command Examples in Linux
  6. How to Extend allowed number of loopback devices
  7. snap: command not found
  8. if Command Examples in Linux
  9. faillog Command Examples in Linux
  10. Understanding SELinux Booleans

You May Also Like

Primary Sidebar

Recent Posts

  • aws ec2: CLI for AWS EC2 (Command Examples)
  • aws cur – Create, query, and delete AWS usage report definitions (Command Examples)
  • aws configure – Manage configuration for the AWS CLI (Command Examples)
  • aws cognito-idp: Manage Amazon Cognito user pool and its users and groups using the CLI

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright