CentOS / RedHat: Set Password Quality Requirements

by

In CentOS and Red Hat, you can set password quality requirements using the pwquality module. This module is used by the PAM (Pluggable Authentication Modules) system to enforce password quality policies. Here are the steps to set password quality requirements:

  1. Install the libpwquality package if it is not already installed:
    sudo yum install libpwquality
  2. Open the pam_pwquality.conf file for editing:
    sudo vi /etc/security/pwquality.conf
  3. In the pam_pwquality.conf file, you can set the following parameters to define the password quality requirements:
    • minlen: The minimum length of the password (default: 9)
    • minclass: The minimum number of character classes (default: 4)
    • maxrepeat: The maximum number of repeated characters (default: 3)
    • dcredit: The credit given for a digit (default: -1)
    • ucredit: The credit given for an uppercase letter (default: -1)
    • lcredit: The credit given for a lowercase letter (default: -1)
    • ocredit: The credit given for a special character (default: -1)
    • minlower: The minimum number of lowercase letters (default: 0)
    • minupper: The minimum number of uppercase letters (default: 0)
    • mindigit: The minimum number of digits (default: 0)
    • minspecial: The minimum number of special characters (default: 0)

    For example, to set a minimum password length of 12 and require at least one digit, one uppercase letter, one lowercase letter, and one special character, you would add the following lines to the pam_pwquality.conf file:

    minlen = 12
    dcredit = 1
    ucredit = 1
    lcredit = 1
    ocredit = 1
  4. Save and close the pam_pwquality.conf file.
  5. To enforce the password quality requirements, you need to add the pam_pwquality.so module to the PAM configuration for the system’s password management. Open the system-auth file for editing:
    sudo vi /etc/pam.d/system-auth
  6. Add the following line at the top of the file:
    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

    This line ensures that the pam_pwquality.so module is used to enforce password quality requirements for local users. If you want to enforce password quality requirements for remote users as well, you need to add the line to the password-auth file.

  7. Save and close the system-auth file.

After making these changes, the PAM system will enforce the password quality requirements defined in the pam_pwquality.conf file when users change their passwords.

Leave a Comment