3.4 Managing Password and Authentication Policies
Each Oracle Exadata server contains the
host_access_control
utility
(/opt/oracle.cellos/host_access_control
), which provides simple
interfaces to view and modify the password and authentication policies.
Oracle recommends using the host_access_control
utility to view and
modify the password and authentication policies. You may perform customizations
outside the scope of the host_access_control
utility at your own
cost and risk.
-
To manage the password aging policy settings for new account creation, use the
host_access_control
command with thepassword-policy
option.-
For a complete description of the available options and settings, use:
# /opt/oracle.cellos/host_access_control password-policy --help
-
To view the current policy settings, use:
# /opt/oracle.cellos/host_access_control password-policy --status
-
To reset the policy to the factory default settings, use:
# /opt/oracle.cellos/host_access_control password-policy --defaults
Under the factory default password aging policy:
-
The maximum password age is 60 days.
-
The minimum period allowed between password changes is 1 day.
-
The minimum password length is 8 characters.
-
The password expiry warning period is 7 days.
-
-
To modify specific policy settings, specify one or more of the following:
-
--PASS_MAX_DAYS
: Specifies the maximum password age (in days). -
--PASS_MIN_DAYS
: Specifies the minimum number of days allowed between password changes. -
--PASS_MIN_LEN
: Specifies the minimum password length. -
--PASS_WARN_AGE
: Specifies the password expiry warning period (in days).
For example, use the following command to set the maximum password age to 100 days and the minimum password length to 12 characters:
# /opt/oracle.cellos/host_access_control password-policy --PASS_MAX_DAYS 100 --PASS_MIN_LEN 12
-
-
-
To manage the password aging policy for existing interactive user accounts, use the
host_access_control
command with thepassword-aging
option.-
For a complete description of the available options and settings, use:
# /opt/oracle.cellos/host_access_control password-aging --help
-
To view the current policy settings, use:
# /opt/oracle.cellos/host_access_control password-aging --status
-
To reset the password aging policy to the factory default settings, use:
# /opt/oracle.cellos/host_access_control password-aging --defaults
Under the factory default password aging policy:
-
The maximum password age is 60 days.
-
The minimum period allowed between password changes is 1 day.
-
The minimum password length is 8 characters.
-
The password expiry warning period is 7 days.
-
-
To reset the password aging policy to the Exadata secure default settings, use:
# /opt/oracle.cellos/host_access_control password-aging --secdefaults
Under the Exadata secure default settings, the minimum password length is 15 characters. All other settings match the factory default policy.
-
To modify existing users to use the policy settings for new account creation, which are the settings defined by using
host_access_control
with thepassword-policy
option, use:# /opt/oracle.cellos/host_access_control password-aging --policy
-
To modify specific policy settings for a user, specify the user and one or more of the following attributes:
-
--maxdays
: Specifies the maximum password age (in days). -
--mindays
: Specifies the minimum number of days allowed between password changes. -
--warndays
: Specifies the password expiry warning period (in days).
For example, use the following command to set the maximum password age to 80 days for the
oracle
OS user:# /opt/oracle.cellos/host_access_control password-aging --maxdays 80 --user oracle
-
-
-
To manage the system authentication policy settings, use the
host_access_control
command with thepam-auth
option. The system authentication settings include the password complexity and password history rules that apply to all users.Commencing with Oracle Exadata System Software 23.1.0 and Oracle Linux 8, the security settings managed by the
pam-auth
option are encapsulated in a custom Exadata security profile using the Linuxauthselect
utility.-
For a complete description of the available options and settings, use:
# /opt/oracle.cellos/host_access_control pam-auth --help
-
To view the current authentication settings, use:
# /opt/oracle.cellos/host_access_control pam-auth --status
-
To reset the authentication settings the factory default settings, use:
# /opt/oracle.cellos/host_access_control pam-auth --defaults
Under the factory default authentication settings:
-
A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.
-
When changing a user password, the new password cannot match any of the 10 previous passwords.
-
The password complexity rules depend on the Oracle Linux version in use.
For systems with Oracle Linux 7 or later:
-
The minimum password length is 8 characters,
-
The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.
-
The password must not contain the same character consecutively more than 3 times.
-
The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).
-
For password changes, the new password must contain a minimum of 8 character changes.
For systems with Oracle Linux 6 or earlier, the minimum password length is 5 characters with no additional complexity requirements.
-
-
-
To reset the authentication settings to the Exadata secure default settings, use:
# /opt/oracle.cellos/host_access_control pam-auth --secdefaults
Under the Exadata secure default settings:
-
A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.
-
When changing a user password, the new password cannot match any of the 10 previous passwords.
-
The password complexity rules depend on the Oracle Linux version in use.
For systems with Oracle Linux 7 or later:
-
The minimum password length is 15 characters,
-
The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.
-
The password must not contain the same character consecutively more than 3 times.
-
The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).
-
For password changes, the new password must contain a minimum of 8 character changes.
For systems with earlier Oracle Linux versions, the minimum password length is 8 characters and the password must contain at least one digit, one uppercase character, one lowercase character, and one other character. Alternatively, you can use a password with at least 12 characters that contains at least 3 out of the 4 character classes (digits, lowercase letters, uppercase letters, or other characters).
-
-
-
To modify specific authentication settings, specify one or more of the following:
-
--deny
: Specifies the required number of consecutive failed login attempts within the interval (specified by--interval
) to trigger an account lockout. -
--interval
: Specifies the number of seconds during which the consecutive failed login attempts must happen to trigger an account lockout. -
--lock
: Specifies the duration (in seconds) of an account lockout. -
--passwdqc
: This setting applies only to systems with Oracle Linux 6 or earlier. The value is a comma-separated list defining the minimum allowed length for different types of passwords or passphrases. See thepam_passwdqc
Linux man page for details about this setting. -
--pwquality
: This setting applies only to systems with Oracle Linux 7 or later. The value is either an integer that defines the minimum password length or a comma-separated list that defines the password complexity rules using the following attributes:minlen
,dcredit
,ucredit
,lcredit
,ocredit
,difok
,maxrepeat
,maxclassrepeat
,minclass
,maxsequence
, andgecoscheck
. See thepam_pwquality
Linux man page for details about the password complexity attributes. -
--remember
: Specifies the size of the password history list for each user. For password changes, the new password cannot match any of previous passwords in the password history list.
For example, use the following command to set the lockout period to 20 minutes after two failed login attempts within a 10-minute period:
# /opt/oracle.cellos/host_access_control pam-auth --lock 1200 --deny 2 --interval 600
-
-
Related Topics
Parent topic: User Security on Oracle Exadata