1. Security Guide for Oracle Exadata
  2. User Security on Oracle Exadata
  3. Managing Password and Authentication Policies

3.4 Managing Password and Authentication Policies

Each Oracle Exadata server contains the host_access_control utility (/opt/oracle.cellos/host_access_control), which provides simple interfaces to view and modify the password and authentication policies.

Oracle recommends using the host_access_control utility to view and modify the password and authentication policies. You may perform customizations outside the scope of the host_access_control utility at your own cost and risk.

  • To manage the password aging policy settings for new account creation, use the host_access_control command with the password-policy option.

    • For a complete description of the available options and settings, use:

      # /opt/oracle.cellos/host_access_control password-policy --help

    • To view the current policy settings, use:

      # /opt/oracle.cellos/host_access_control password-policy --status

    • To reset the policy to the factory default settings, use:

      # /opt/oracle.cellos/host_access_control password-policy --defaults

      Under the factory default password aging policy:

      • The maximum password age is 60 days.

      • The minimum period allowed between password changes is 1 day.

      • The minimum password length is 8 characters.

      • The password expiry warning period is 7 days.

    • To modify specific policy settings, specify one or more of the following:

      • --PASS_MAX_DAYS: Specifies the maximum password age (in days).

      • --PASS_MIN_DAYS: Specifies the minimum number of days allowed between password changes.

      • --PASS_MIN_LEN: Specifies the minimum password length.

      • --PASS_WARN_AGE: Specifies the password expiry warning period (in days).

      For example, use the following command to set the maximum password age to 100 days and the minimum password length to 12 characters:

      # /opt/oracle.cellos/host_access_control password-policy --PASS_MAX_DAYS 100 --PASS_MIN_LEN 12

  • To manage the password aging policy for existing interactive user accounts, use the host_access_control command with the password-aging option.

    • For a complete description of the available options and settings, use:

      # /opt/oracle.cellos/host_access_control password-aging --help

    • To view the current policy settings, use:

      # /opt/oracle.cellos/host_access_control password-aging --status

    • To reset the password aging policy to the factory default settings, use:

      # /opt/oracle.cellos/host_access_control password-aging --defaults

      Under the factory default password aging policy:

      • The maximum password age is 60 days.

      • The minimum period allowed between password changes is 1 day.

      • The minimum password length is 8 characters.

      • The password expiry warning period is 7 days.

    • To reset the password aging policy to the Exadata secure default settings, use:

      # /opt/oracle.cellos/host_access_control password-aging --secdefaults

      Under the Exadata secure default settings, the minimum password length is 15 characters. All other settings match the factory default policy.

    • To modify existing users to use the policy settings for new account creation, which are the settings defined by using host_access_control with the password-policy option, use: 

      # /opt/oracle.cellos/host_access_control password-aging --policy

    • To modify specific policy settings for a user, specify the user and one or more of the following attributes:

      • --maxdays: Specifies the maximum password age (in days).

      • --mindays: Specifies the minimum number of days allowed between password changes.

      • --warndays: Specifies the password expiry warning period (in days).

      For example, use the following command to set the maximum password age to 80 days for the oracle OS user: 

      # /opt/oracle.cellos/host_access_control password-aging --maxdays 80 --user oracle

  • To manage the system authentication policy settings, use the host_access_control command with the pam-auth option. The system authentication settings include the password complexity and password history rules that apply to all users.

    Commencing with Oracle Exadata System Software 23.1.0 and Oracle Linux 8, the security settings managed by the pam-auth option are encapsulated in a custom Exadata security profile using the Linux authselect utility.

    • For a complete description of the available options and settings, use:

      # /opt/oracle.cellos/host_access_control pam-auth --help

    • To view the current authentication settings, use:

      # /opt/oracle.cellos/host_access_control pam-auth --status

    • To reset the authentication settings the factory default settings, use:

      # /opt/oracle.cellos/host_access_control pam-auth --defaults

      Under the factory default authentication settings:

      • A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.

      • When changing a user password, the new password cannot match any of the 10 previous passwords.

      • The password complexity rules depend on the Oracle Linux version in use.

        For systems with Oracle Linux 7 or later:

        • The minimum password length is 8 characters,

        • The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.

        • The password must not contain the same character consecutively more than 3 times.

        • The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).

        • For password changes, the new password must contain a minimum of 8 character changes.

        For systems with Oracle Linux 6 or earlier, the minimum password length is 5 characters with no additional complexity requirements.

    • To reset the authentication settings to the Exadata secure default settings, use:

      # /opt/oracle.cellos/host_access_control pam-auth --secdefaults

      Under the Exadata secure default settings:

      • A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.

      • When changing a user password, the new password cannot match any of the 10 previous passwords.

      • The password complexity rules depend on the Oracle Linux version in use.

        For systems with Oracle Linux 7 or later:

        • The minimum password length is 15 characters,

        • The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.

        • The password must not contain the same character consecutively more than 3 times.

        • The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).

        • For password changes, the new password must contain a minimum of 8 character changes.

        For systems with earlier Oracle Linux versions, the minimum password length is 8 characters and the password must contain at least one digit, one uppercase character, one lowercase character, and one other character. Alternatively, you can use a password with at least 12 characters that contains at least 3 out of the 4 character classes (digits, lowercase letters, uppercase letters, or other characters).

    • To modify specific authentication settings, specify one or more of the following:

      • --deny: Specifies the required number of consecutive failed login attempts within the interval (specified by --interval) to trigger an account lockout.

      • --interval: Specifies the number of seconds during which the consecutive failed login attempts must happen to trigger an account lockout.

      • --lock: Specifies the duration (in seconds) of an account lockout.

      • --passwdqc: This setting applies only to systems with Oracle Linux 6 or earlier. The value is a comma-separated list defining the minimum allowed length for different types of passwords or passphrases. See the pam_passwdqc Linux man page for details about this setting.

      • --pwquality: This setting applies only to systems with Oracle Linux 7 or later. The value is either an integer that defines the minimum password length or a comma-separated list that defines the password complexity rules using the following attributes: minlen, dcredit, ucredit, lcredit, ocredit, difok, maxrepeat, maxclassrepeat, minclass, maxsequence, and gecoscheck. See the pam_pwquality Linux man page for details about the password complexity attributes.

      • --remember: Specifies the size of the password history list for each user. For password changes, the new password cannot match any of previous passwords in the password history list.

      For example, use the following command to set the lockout period to 20 minutes after two failed login attempts within a 10-minute period:

      # /opt/oracle.cellos/host_access_control pam-auth --lock 1200 --deny 2 --interval 600

Related Topics

Parent topic: User Security on Oracle Exadata