How to set password policies in Linux

How to Set Password Policies in Linux Password security forms the cornerstone of Linux system administration and cybersecurity. Implementing robust password policies is essential for protecting systems against unauthorized access, brute force attacks, and security breaches. This comprehensive guide will teach you how to configure, manage, and maintain password policies across various Linux distributions using system tools, PAM (Pluggable Authentication Modules), and modern security frameworks. By the end of this article, you'll understand how to enforce password complexity requirements, set expiration policies, configure account lockout mechanisms, and implement enterprise-grade password security measures that comply with industry standards and regulatory requirements. Table of Contents 1. [Prerequisites and Requirements](#prerequisites-and-requirements) 2. [Understanding Linux Password Architecture](#understanding-linux-password-architecture) 3. [Basic Password Policy Configuration](#basic-password-policy-configuration) 4. [Advanced PAM Configuration](#advanced-pam-configuration) 5. [Distribution-Specific Implementations](#distribution-specific-implementations) 6. [Password Aging and Expiration Policies](#password-aging-and-expiration-policies) 7. [Account Lockout and Security Measures](#account-lockout-and-security-measures) 8. [Practical Examples and Use Cases](#practical-examples-and-use-cases) 9. [Monitoring and Auditing](#monitoring-and-auditing) 10. [Troubleshooting Common Issues](#troubleshooting-common-issues) 11. [Best Practices and Security Recommendations](#best-practices-and-security-recommendations) 12. [Conclusion](#conclusion) Prerequisites and Requirements Before implementing password policies in Linux, ensure you have the following prerequisites: System Requirements - Root or sudo access to the Linux system - Basic understanding of Linux command line operations - Familiarity with text editors (nano, vim, or emacs) - Understanding of user account management concepts Software Dependencies - PAM (Pluggable Authentication Modules) - typically pre-installed - libpwquality or cracklib libraries for password quality checking - Access to system configuration files in `/etc/` Supported Distributions This guide covers password policy configuration for: - Ubuntu/Debian-based systems - Red Hat Enterprise Linux (RHEL)/CentOS/Fedora - SUSE Linux Enterprise Server (SLES) - Arch Linux and derivatives Understanding Linux Password Architecture Linux password management relies on several interconnected components that work together to provide authentication and security services. Core Components 1. Shadow Password System The shadow password system stores encrypted passwords in `/etc/shadow`, separate from user account information in `/etc/passwd`. This separation enhances security by restricting access to password hashes. ```bash Example /etc/shadow entry username:$6$salt$hashedpassword:18500:0:99999:7::: ``` 2. PAM (Pluggable Authentication Modules) PAM provides a flexible framework for authentication services. It consists of four management groups: - Authentication: Verifies user identity - Account: Manages account restrictions and permissions - Password: Handles password changes and policies - Session: Manages user sessions 3. Password Quality Libraries - libpwquality: Modern password quality checking library - cracklib: Traditional password strength verification tool Configuration File Hierarchy ``` /etc/ ├── pam.d/ # PAM configuration directory │ ├── common-password │ ├── passwd │ └── system-auth ├── security/ # Security-related configurations │ └── pwquality.conf ├── login.defs # Login and password aging defaults └── shadow # Encrypted password storage ``` Basic Password Policy Configuration Installing Required Packages Ubuntu/Debian Systems ```bash sudo apt update sudo apt install libpam-pwquality cracklib-runtime ``` RHEL/CentOS/Fedora Systems ```bash RHEL/CentOS 8+ sudo dnf install libpwquality RHEL/CentOS 7 sudo yum install libpwquality Verify installation rpm -qa | grep pwquality ``` Configuring Basic Password Requirements Method 1: Using pwquality.conf The primary configuration file for password quality is `/etc/security/pwquality.conf`: ```bash sudo nano /etc/security/pwquality.conf ``` Add or modify the following parameters: ```bash Minimum password length minlen = 12 Minimum number of character classes (lowercase, uppercase, digits, special) minclass = 3 Maximum number of consecutive identical characters maxrepeat = 2 Maximum number of consecutive characters from the same character class maxclassrepeat = 3 Minimum number of lowercase letters lcredit = -1 Minimum number of uppercase letters ucredit = -1 Minimum number of digits dcredit = -1 Minimum number of special characters ocredit = -1 Check against dictionary words dictcheck = 1 Enforce password history (prevent reuse of last N passwords) remember = 5 Check for username in password usercheck = 1 Reject passwords containing more than 3 consecutive characters from username usersubstr = 3 ``` Method 2: Direct PAM Configuration Edit the PAM password configuration file: ```bash Ubuntu/Debian sudo nano /etc/pam.d/common-password RHEL/CentOS sudo nano /etc/pam.d/system-auth ``` Add or modify the pam_pwquality line: ```bash password requisite pam_pwquality.so retry=3 minlen=12 minclass=3 maxrepeat=2 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 ``` Advanced PAM Configuration Understanding PAM Control Flags PAM uses control flags to determine how modules interact: - required: Must succeed; failure doesn't immediately terminate - requisite: Must succeed; failure immediately terminates - sufficient: Success immediately grants access - optional: Result ignored unless it's the only module Complex Password Policy Example Create a comprehensive password policy configuration: ```bash /etc/pam.d/common-password or /etc/pam.d/system-auth Password quality checking password requisite pam_pwquality.so \ retry=3 \ minlen=14 \ minclass=4 \ maxrepeat=2 \ maxclassrepeat=2 \ dcredit=-2 \ ucredit=-1 \ lcredit=-1 \ ocredit=-2 \ dictcheck=1 \ usercheck=1 \ enforcing=1 Password history to prevent reuse password required pam_pwhistory.so \ remember=12 \ use_authtok Unix password module password [success=1 default=ignore] pam_unix.so \ obscure \ use_authtok \ try_first_pass \ sha512 ``` Account Lockout Configuration Implement account lockout policies to prevent brute force attacks: ```bash Edit /etc/pam.d/common-auth or /etc/pam.d/system-auth Account lockout after failed attempts auth required pam_tally2.so \ onerr=fail \ audit \ silent \ deny=5 \ unlock_time=900 Account management account required pam_tally2.so ``` Distribution-Specific Implementations Ubuntu/Debian Configuration Ubuntu and Debian use the `common-*` files in `/etc/pam.d/` for centralized PAM configuration: ```bash Primary password policy file /etc/pam.d/common-password Authentication configuration /etc/pam.d/common-auth Account management /etc/pam.d/common-account ``` Example Ubuntu configuration: ```bash /etc/pam.d/common-password password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password requisite pam_pwquality.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecos password required pam_pwhistory.so remember=12 use_authtok ``` RHEL/CentOS Configuration Red Hat-based systems typically use `/etc/pam.d/system-auth` and `/etc/pam.d/password-auth`: ```bash /etc/pam.d/system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_tally2.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=12 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ``` Password Aging and Expiration Policies Configuring Default Password Aging Edit `/etc/login.defs` to set system-wide password aging defaults: ```bash sudo nano /etc/login.defs ``` Configure the following parameters: ```bash Maximum number of days a password may be used PASS_MAX_DAYS 90 Minimum number of days allowed between password changes PASS_MIN_DAYS 1 Number of days warning given before password expires PASS_WARN_AGE 7 Minimum acceptable password length PASS_MIN_LEN 12 Maximum number of login retries if password is wrong LOGIN_RETRIES 3 Delay in seconds before retrying after failed login FAIL_DELAY 3 ``` Managing Individual User Password Policies Use the `chage` command to manage password aging for specific users: ```bash Set password expiration for user sudo chage -M 90 username Set minimum days between password changes sudo chage -m 2 username Set warning days before expiration sudo chage -W 14 username Force password change on next login sudo chage -d 0 username View current password aging information sudo chage -l username Set account expiration date sudo chage -E 2024-12-31 username ``` Batch Password Policy Management Apply password policies to multiple users: ```bash #!/bin/bash Script to apply password policies to multiple users USERS=("user1" "user2" "user3" "user4") MAX_DAYS=90 MIN_DAYS=1 WARN_DAYS=7 for user in "${USERS[@]}"; do if id "$user" &>/dev/null; then echo "Applying password policy to $user" chage -M $MAX_DAYS -m $MIN_DAYS -W $WARN_DAYS "$user" echo "Policy applied to $user" else echo "User $user does not exist" fi done ``` Account Lockout and Security Measures Implementing Account Lockout with pam_tally2 Configure automatic account lockout after failed login attempts: ```bash /etc/pam.d/common-auth (Ubuntu/Debian) or /etc/pam.d/system-auth (RHEL/CentOS) Add at the beginning of auth section auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=1800 Add to account section account required pam_tally2.so ``` Managing Locked Accounts ```bash Check failed login attempts for a user sudo pam_tally2 --user username Reset failed login counter for a user sudo pam_tally2 --user username --reset View all users with failed attempts sudo pam_tally2 Reset all counters sudo pam_tally2 --reset ``` Advanced Security with pam_faillock (Modern Alternative) For newer systems, use `pam_faillock` instead of `pam_tally2`: ```bash /etc/pam.d/system-auth Auth section auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 Account section account required pam_faillock.so ``` Manage faillock: ```bash View failed attempts sudo faillock --user username Reset user lockout sudo faillock --user username --reset View all locked accounts sudo faillock ``` Practical Examples and Use Cases Enterprise Environment Password Policy For a corporate environment requiring strict compliance: ```bash /etc/security/pwquality.conf minlen = 14 minclass = 4 maxrepeat = 2 maxclassrepeat = 2 dcredit = -2 ucredit = -1 lcredit = -1 ocredit = -2 dictcheck = 1 usercheck = 1 usersubstr = 3 enforcing = 1 badwords = company secret password admin root ``` ```bash /etc/login.defs PASS_MAX_DAYS 60 PASS_MIN_DAYS 1 PASS_WARN_AGE 14 LOGIN_RETRIES 3 FAIL_DELAY 5 ``` Development Environment Configuration For development environments with moderate security: ```bash /etc/security/pwquality.conf minlen = 10 minclass = 3 maxrepeat = 3 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 dictcheck = 1 usercheck = 1 ``` High-Security Government/Financial Sector For environments requiring maximum security: ```bash /etc/security/pwquality.conf minlen = 16 minclass = 4 maxrepeat = 1 maxclassrepeat = 2 dcredit = -3 ucredit = -2 lcredit = -2 ocredit = -3 dictcheck = 1 usercheck = 1 usersubstr = 2 enforcing = 1 retry = 2 Additional PAM configuration password required pam_pwhistory.so remember=24 use_authtok ``` Monitoring and Auditing Password Policy Compliance Checking Create a script to audit password policy compliance: ```bash #!/bin/bash Password policy audit script echo "=== Password Policy Audit Report ===" echo "Generated on: $(date)" echo Check pwquality configuration echo "--- Password Quality Settings ---" grep -v "^#\|^$" /etc/security/pwquality.conf echo echo "--- Password Aging Settings ---" grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE" /etc/login.defs echo echo "--- Users with Password Aging Issues ---" while IFS=: read -r username _ _ _ _ _ _; do if [[ $username != "#" ]] && id "$username" &>/dev/null; then aging_info=$(chage -l "$username" 2>/dev/null) if echo "$aging_info" | grep -q "Password expires.*never"; then echo "WARNING: $username has no password expiration" fi fi done < /etc/passwd echo echo "--- Account Lockout Status ---" if command -v faillock &> /dev/null; then faillock elif command -v pam_tally2 &> /dev/null; then pam_tally2 fi ``` Log Monitoring Monitor authentication logs for security events: ```bash Monitor authentication failures sudo tail -f /var/log/auth.log | grep -i "authentication failure" Check for account lockouts sudo grep -i "account locked" /var/log/auth.log Monitor password changes sudo grep -i "password changed" /var/log/auth.log ``` Automated Compliance Reporting ```bash #!/bin/bash Automated password policy compliance report REPORT_FILE="/var/log/password_compliance_$(date +%Y%m%d).log" { echo "Password Policy Compliance Report - $(date)" echo "================================================" # Check for users without password expiration echo "Users without password expiration:" awk -F: '($2 != "!" && $2 != "*") {print $1}' /etc/shadow | while read user; do if chage -l "$user" 2>/dev/null | grep -q "Password expires.*never"; then echo " - $user" fi done # Check for recently created accounts echo echo "Recently created accounts (last 30 days):" find /home -maxdepth 1 -type d -mtime -30 -exec basename {} \; # Check password policy configuration echo echo "Current password policy settings:" grep -v "^#\|^$" /etc/security/pwquality.conf } > "$REPORT_FILE" echo "Compliance report generated: $REPORT_FILE" ``` Troubleshooting Common Issues Issue 1: Password Policy Not Enforcing Symptoms: Users can set weak passwords despite policy configuration Diagnosis: ```bash Check PAM configuration sudo grep -r "pam_pwquality" /etc/pam.d/ Verify pwquality.conf syntax sudo pwquality-check < /etc/security/pwquality.conf Test password policy echo "testpass" | pwquality-check ``` Solutions: 1. Ensure `pam_pwquality` is properly configured in PAM files 2. Check for syntax errors in configuration files 3. Verify the module load order in PAM configuration 4. Restart services that use PAM authentication Issue 2: Users Cannot Change Passwords Symptoms: Password change attempts fail with policy violations Diagnosis: ```bash Check PAM logs sudo tail -f /var/log/auth.log Test password manually sudo passwd username Verify PAM configuration syntax sudo pam-auth-update --package ``` Solutions: 1. Review password complexity requirements 2. Check for conflicting PAM modules 3. Ensure proper permissions on configuration files 4. Verify user account status Issue 3: Account Lockout Issues Symptoms: Accounts getting locked unexpectedly or not unlocking Diagnosis: ```bash Check lockout status sudo faillock --user username or sudo pam_tally2 --user username Review authentication logs sudo grep -i "locked\|tally" /var/log/auth.log ``` Solutions: 1. Adjust lockout thresholds and timing 2. Check for automated processes causing failures 3. Implement proper unlock procedures 4. Monitor for brute force attacks Issue 4: PAM Configuration Conflicts Symptoms: Authentication services behaving inconsistently Diagnosis: ```bash Check PAM configuration consistency sudo pam-auth-update --package Validate PAM files for file in /etc/pam.d/*; do echo "Checking $file" pamtester $(basename "$file") username authenticate done ``` Solutions: 1. Use distribution-specific PAM management tools 2. Maintain consistent configuration across PAM files 3. Test changes in isolated environments 4. Document configuration changes Best Practices and Security Recommendations 1. Password Complexity Guidelines Implement balanced password complexity requirements: ```bash Recommended baseline configuration minlen = 12 # Adequate length for most environments minclass = 3 # Require mix of character types maxrepeat = 2 # Prevent excessive repetition dictcheck = 1 # Block dictionary words usercheck = 1 # Prevent username inclusion ``` 2. Account Management Best Practices - Regular Auditing: Implement automated compliance checking - Principle of Least Privilege: Apply policies based on user roles - Account Lifecycle Management: Properly handle account creation, modification, and deletion - Emergency Access: Maintain secure emergency access procedures 3. Security Monitoring ```bash Implement comprehensive logging /etc/rsyslog.d/50-auth.conf auth,authpriv.* /var/log/auth.log ``` 4. Backup and Recovery ```bash #!/bin/bash Backup critical authentication files BACKUP_DIR="/backup/auth-$(date +%Y%m%d)" mkdir -p "$BACKUP_DIR" cp /etc/passwd "$BACKUP_DIR/" cp /etc/shadow "$BACKUP_DIR/" cp /etc/group "$BACKUP_DIR/" cp -r /etc/pam.d/ "$BACKUP_DIR/" cp -r /etc/security/ "$BACKUP_DIR/" cp /etc/login.defs "$BACKUP_DIR/" echo "Authentication configuration backed up to $BACKUP_DIR" ``` 5. Testing and Validation Always test password policy changes: ```bash #!/bin/bash Password policy testing script TEST_PASSWORDS=( "password123" # Should fail - too common "P@ssw0rd123" # Should fail - predictable pattern "MyC0mplex!Pass" # Should pass - meets requirements "short" # Should fail - too short ) for password in "${TEST_PASSWORDS[@]}"; do echo "Testing password: $password" echo "$password" | pwquality-check echo "---" done ``` 6. Documentation and Change Management - Maintain detailed documentation of password policies - Implement change control procedures - Train administrators on policy management - Regularly review and update policies 7. Compliance Considerations For regulatory compliance (SOX, HIPAA, PCI-DSS): ```bash High-compliance password policy minlen = 14 minclass = 4 maxrepeat = 1 dcredit = -2 ucredit = -2 lcredit = -2 ocredit = -2 dictcheck = 1 usercheck = 1 enforcing = 1 Strict aging policy PASS_MAX_DAYS 60 PASS_MIN_DAYS 1 PASS_WARN_AGE 14 Enhanced lockout policy deny = 3 unlock_time = 1800 ``` Conclusion Implementing robust password policies in Linux is essential for maintaining system security and protecting against unauthorized access. This comprehensive guide has covered the fundamental concepts, practical implementation steps, and advanced configuration options for managing password policies across various Linux distributions. Key takeaways from this guide include: 1. Understanding the Architecture: Linux password management relies on PAM, shadow passwords, and quality checking libraries working together 2. Flexible Configuration: Multiple methods exist for implementing password policies, from simple configuration files to complex PAM modules 3. Distribution Awareness: Different Linux distributions may require specific approaches and configuration file locations 4. Security Balance: Effective password policies balance security requirements with usability considerations 5. Continuous Monitoring: Regular auditing and monitoring ensure policy compliance and security effectiveness Next Steps To further enhance your Linux password security implementation: 1. Implement Multi-Factor Authentication: Consider integrating MFA solutions with your password policies 2. Explore Advanced PAM Modules: Investigate additional PAM modules for enhanced security features 3. Automate Policy Management: Develop scripts and tools for automated policy deployment and monitoring 4. Stay Updated: Keep abreast of security best practices and emerging threats 5. Regular Reviews: Periodically review and update password policies based on organizational needs and security landscape changes By following the practices and configurations outlined in this guide, you'll be well-equipped to implement and maintain effective password policies that protect your Linux systems while meeting organizational and regulatory requirements. Remember that security is an ongoing process, and regular review and updates of your password policies are essential for maintaining robust protection against evolving threats.