This post outlines steps to configure password complexity for all the users, including root. The “pam_cracklib.so” PAM module does not check the password complexity for the “root” user by default. So to overcome that the “pam_passwdqc.so” module can be used to apply the restrictions for all the users, including “root”.
1. “pam_passwdqc.so” is provided by “pam_passwdqc” package.
# rpm -qf /lib64/security/pam_passwdqc.so pam_passwdqc-1.0.5-8.el6.x86_64
2. Comment out “pam_cracklib.so” module line in /etc/pam.d/system-auth file and add “pam_passwdqc.so”. Remember, line order matters!
# password requisite pam_cracklib.so try_first_pass retry=3 type= ### Comment out this line password requisite pam_passwdqc.so enforce=everyone ### Apply password restriction to all users
3. Test the password reset for root user.
# passwd Changing password for user root. You can now choose the new password or passphrase. A valid password should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used, unless disable_firstupper_lastdigit_check option is enabled. A passphrase should be of at least 3 words, 11 to 40 characters long, and contain enough different characters. Alternatively, if noone else can see your terminal now, you can pick this as your password: "ambush!nail_buy". Enter new password:
4. Refer “PAM_PASSWDQC” man page for more details and to tune the password complexity.
# man PAM_PASSWDQC
Note: – pam_cracklib.so & pam_passwdqc.so module provides similar password checking functionalities so both should not be used at same time.