• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Enforce Password Complexity For All Users, Including “root”, By Using the “passwdqc” PAM Module CentOS/RHEL

by admin

This post outlines steps to configure password complexity for all the users, including root. The “pam_cracklib.so” PAM module does not check the password complexity for the “root” user by default. So to overcome that the “pam_passwdqc.so” module can be used to apply the restrictions for all the users, including “root”.

1. “pam_passwdqc.so” is provided by “pam_passwdqc” package.

# rpm -qf /lib64/security/pam_passwdqc.so
pam_passwdqc-1.0.5-8.el6.x86_64

2. Comment out “pam_cracklib.so” module line in /etc/pam.d/system-auth file and add “pam_passwdqc.so”. Remember, line order matters!

# password requisite pam_cracklib.so try_first_pass retry=3 type=    ### Comment out this line
password requisite pam_passwdqc.so enforce=everyone    ### Apply password restriction to all users

3. Test the password reset for root user.

# passwd
Changing password for user root.

You can now choose the new password or passphrase.

A valid password should be a mix of upper and lower case letters, digits, and other characters. You can use an 8 character long
password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the
classes. An upper case letter that begins the password and a digit that ends it do not count towards the number of character
classes used, unless disable_firstupper_lastdigit_check option is enabled.

A passphrase should be of at least 3 words, 11 to 40 characters long, and contain enough different characters.

Alternatively, if noone else can see your terminal now, you can pick this as your password: "ambush!nail_buy".

Enter new password:

4. Refer “PAM_PASSWDQC” man page for more details and to tune the password complexity.

# man PAM_PASSWDQC
Note: – pam_cracklib.so & pam_passwdqc.so module provides similar password checking functionalities so both should not be used at same time.

Filed Under: CentOS/RHEL, CentOS/RHEL 6, CentOS/RHEL 7, CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. Understanding /etc/xinetd.d directory under Linux
  2. RHV – How to shutdown a VM from AdminPortal
  3. How to mount and umount a file system in Linux
  4. How to add a Custom Script to systemd in CentOS/RHEL 7
  5. “device-mapper: resume ioctl failed: Invalid argument” – error on running lvcreate/lvresize/lvextend
  6. CentOS / RHEL : How to create new LVM based swap partition
  7. How to Extend the Last Existing Filesystem Partition with Parted
  8. TCP Wrapper (hosts.allow & hosts.deny) Command Options in Linux
  9. How to use tar command under Linux
  10. Spacewalk Installation Steps On CentOS/RHEL

You May Also Like

Primary Sidebar

Recent Posts

  • JavaFX ComboBox: Set a value to the combo box
  • Nginx load balancing
  • nginx 504 gateway time-out
  • Images preview with ngx_http_image_filter_module

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright