26.9.11.1 Configuring User Authentication and Password Policies

The Pluggable Authentication Modules (PAM) feature allows you to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.

PAM is highly customizable by its use of different modules with customisable parameters. For example, the default password integrity checking module pam_pwquality.so tests password strength. The PAM configuration file (/etc/pam.d/system-auth) contains the following default entries for testing a password's strength:

password  requisite   pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  sufficient  pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  required    pam_deny.so

The line for pam_pwquality.so defines that a user gets three attempts to choose a good password. From the module's default settings, the password length must a minimum of six characters, of which three characters must be different from the previous password. The module only tests the quality of passwords for users who are defined in /etc/passwd.

The line for pam_unix.so specifies that the module tests the password previously specified in the stack before prompting for a password if necessary (pam_pwquality will already have performed such checks for users defined in /etc/passwd), uses SHA-512 password hashing and the /etc/shadow file, and allows access if the existing password is null.

You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:

password  required  pam_pwquality.so retry=3 minlen=8 difok=5 minclass=-1
password  required  pam_unix.so use_authtok sha512 shadow remember=5
password  required  pam_deny.so

The line for pam_pwquality.so defines that a user gets three attempts to choose a good password with a minimum of eight characters, of which five characters must be different from the previous password, and which must contain at least one upper case letter, one lower case letter, one numeric digit, and one non-alphanumeric character.

The line for pam_unix.so specifies that the module does not perform password checking, uses SHA-512 password hashing and the /etc/shadow file, and saves information about the previous five passwords for each user in the /etc/security/opasswd file. As nullok is not specified, a user cannot change his or her password if the existing password is null.

The omission of the try_first_pass keyword means that the user is always asked for their existing password, even if he or she entered it for the same module or for a previous module in the stack.

For more information, see Section 24.7, “About Pluggable Authentication Modules” and the pam_deny(8), pam_pwquality(8), and pam_unix(8) manual pages.

An alternate way of defining password requirements is available by selecting the Password Options tab in the Authentication Configuration GUI (system-config-authentication).

Figure 26.2 shows the Authentication Configuration GUI with the Password Options tab selected.

Figure 26.2 Password Options

The figure shows the Authentication Configuration GUI with the Password Options tab selected.


You can specify the minimum password length, minimum number of required character classes, which character classes are required, and the maximum number of consecutive characters and consecutive characters from the same class that are permitted.