The Pluggable Authentication Modules (PAM) feature allows you to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.
PAM is highly customizable by its use of different modules with customisable parameters.
For example, the default password integrity checking module pam_cracklib.so
tests password strength. The PAM configuration file
(/etc/pam.d/system-auth
) contains the following default entries for testing
a password's
strength:
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
The line for pam_cracklib.so
defines that a user gets three attempts to
choose a good password. From the module's default settings, the password length must a minimum
of six characters, of which three characters must be different from the previous
password.
The line for pam_unix.so
specifies that the module is not to perform
password checking (pam_cracklib
will already have performed such checks),
to use SHA-512 password hashing, to allow access if the existing password is null, and to use
the /etc/shadow
file.
You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:
password required pam_cracklib.so retry=3 minlen=8 difok=5 minclass=-1 password required pam_unix.so use_authtok sha512 shadow remember=5 password required pam_deny.so
The line for pam_cracklib.so
defines that a user gets three attempts to
choose a good password with a minimum of eight characters, of which five characters must be
different from the previous password, and which must contain at least one upper case letter,
one lower case letter, one numeric digit, and one non-alphanumeric character.
The line for pam_unix.so
specifies that the module is not to perform
password checking, to use SHA-512 password hashing, to use the /etc/shadow
file, and to save information about the previous five passwords for each user in the
/etc/security/opasswd
file. As nullok
is not
specified, a user cannot change his or her password if the existing password is null.
The omission of the try_first_pass
keyword means that the user is
always asked for their existing password, even if he or she entered it for the same module or
for a previous module in the stack.
Alternative modules are available for password checking, such as
pam_passwdqc.so
.
For more information, see Section 22.7, “About Pluggable Authentication Modules” and the
pam_cracklib(8)
, pam_deny(8)
,
pam_passwdqc(8)
, and pam_unix(8)
manual pages.