Home / ubuntu / Questions / 156850
Accepted
Thomas Ward
Asked: 2012-06-28 11:54:46 +0800 CST

How do you set requirements (such as minimum length) on passwords?

  • 772

Is there any way to set up minimum passcode requirements, such as a minimum length, requirement of mixed case alphanumerics and at least 1 symbol in the passcode, and enforce that at passcode changes?

security

3 Answers

  1. Best Answer

    Password complexity in Ubuntu is controlled by PAM. Unfortunately, PAM is "typically Unix" like in its approach. Meaning that it spreads its configuration through a large number of very confusing files.

    The file that controls password complexity is:

    /etc/pam.d/common-password

    There is a line:

    password [success=1 default=ignore] pam_unix.so obscure sha512

    Which defines the basic rules for password complexity. You can add a minimum length override by changing it to:

    password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=12

    or whatever minimum you want. As you can see, the default already defines some basic obscurity rules. These basic rules can be seen in:

    man pam_unix

    Search for "obscure".

    There are a large number of pam modules that can be installed.

    apt-cache search libpam-

    Should show you them.

    You will need to hunt down the documenation for them I'm afraid. But the "cracklib" is a common addition.

    UPDATE: I should have pointed out that the default "obscure" parameter includes tests for complexity based on previous passwords and simplicity (length, number of different types of character). The example in the manpage shows cracklib in action. Install libpam_cracklib to get that working.

    Also, once you have worked out what to change, the changes are the same in other files so that you can enforce the same (or different) password checks for SSH and other applications.

    • 21

  2. Pre-installed PAM modules allow you to set up basic requirements within the light of complexity. There is a nice module which is a successor of pam_cracklib module - pam_pwquality. In order to install it type the following

    apt-get install libpam-pwquality

    then get familiar with this one

    man pam_pwquality

    especially with the "Options" section.

    Now you can edit the common-password in /etc/pam.d/

    vi /etc/pam.d/common-password

    find the line which contains the following "password requisite pam_pwquality.so" statement and after pam_pwquality.so attach your options like this

    password        requisite         pam_pwquality.so minlen=16 ucredit=-4 retry=3

    which stands for "the minimum size of password is 16 characters, where minimum 4 of them a uppercase. Prompt user for password 3 times.

    pam_pwquality allows you make much more complex password requirements in combination with other modules like pam_pwhistory. Good luck

    • 2

  3. Password values are controlled in the file 

    /etc/pam.d/common-password

    For more information on how to modify the file see pam_unix manpage

    • 1