Installing a PAM

Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.

For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.

A PAM is installed and running by default in CentOS, Fedora, and EulerOS.

Setting a Password Complexity Policy

A proper password complexity policy would be: the password must contain at least eight characters and must contain uppercase letters, lowercase letters, numbers, and special characters.

The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:

For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:
man pam_pwquality

For other Linux OSs, run:
man pam_cracklib

CentOS, Fedora, and EulerOS

Run the following command to edit the /etc/pam.d/system-auth file:
vi /etc/pam.d/system-auth
Find the following information in the file:
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0:
  password requisite pam_pwquality.so try_first_pass retry=3 type=
- For other CentOS, Fedora, and EulerOS systems:
  password requisite pam_cracklib.so try_first_pass retry=3 type=

Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

Example:

password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=

Set dcredit, ucredit, lcredit, and ocredit to negative numbers.

**Table 1** Parameter description
Parameter	Description	Example
minlen	Minimum length of a password. For example, if you want the minimum length to be eight, set the minlen value to 8.	minlen=8
dcredit	Number of digits A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.	dcredit=-1
ucredit	Number of uppercase letters A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.	ucredit=-1
lcredit	Number of lowercase letters A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.	lcredit=-1
ocredit	Number of special characters A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.	ocredit=-1

Debian and Ubuntu
1. Run the following command to edit the /etc/pam.d/common-password file:
  vi /etc/pam.d/common-password
2. Find the following information in the file:
  password requisite pam_cracklib.so retry=3 minlen=8 difok=3
3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
  Example:
  
  password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3

How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

Installing a PAM

Setting a Password Complexity Policy