/etc/pam.d/ directory contains the PAM configuration files for each PAM-aware
application. Each pam aware configuration file has lines in the format of:
<module interface> <control flag> <module> <module arguments>
There are only four module interfaces:
A module can provide any or all module interfaces.
Module interface directives can be 'stacked' so that multiple modules are used together for one purpose. The order of these directives. Commented out lines start with '#'.
Available modules can be found in
depending on the system architecture.
These are module dependent refer to the man page of the module.
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
pam_cracklib allows for quick quality control settings of passwords. It
allows minimum requirements of the number of different types of characters that
need to be used in a password before it can be used. It also checks the
password against a dictionary.
By default it checks against a dictionary but that really isn't enough for good
password security. Further password control can be accomplished using
password requisite pam_cracklib.so try_first_pass retry=3 type=
Recommended (require one of each type, minimum length 14):
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
Other (credit based):
password requisite pam_cracklib.so try_first_pass retry=3 minlen=22 dcredit=2 ocredit=4
The credit based system requires a bit of explaining, it requires a 22 character password and treats numbers as 2 characters and symbols as 4 characters. This can be dangerous as you can have an 11 digit number as a password which isn't secure...
pam_cracklib in checking the quality of the password.
To use it you need to comment out
You'll need to add this line to the
password requisite pam_passwdqc.so retry=3 min=disabled,disabled,22,16,12 passphrase=4 similar=deny enforce=users
What this does is it prevent any passwords with one or two character types. Requires a password with three character types to be a minimum of 16 characters and one with four character types to be a minimum of 12 characters.
The middle option (22) is the minimum length of a passphrase (grouping of words found in the dictionary file). The minimum number of words is controlled by the passphrase option.
It denies similar passwords as previous ones and only enforces quality control for root passwords (since they're sha512 hashes they only have two character classes and would thus be denied).
This is untested but to the best of my knowledge passphrases still need to be at least three character classes (since one and two are disabled).
pam_tally2 comes with Fedora's pam package so it will be installed. It's very
useful to prevent bruteforce attempts BUT it can also used to lock access out
to a legitimate user. It is recommended to not turn this on for the entire
system but just remote login services that use pam (for example SSH).
To use it you need to add the following line to the services pam file. So for
SSH the file would be
/etc/pam.d/sshd. The following is what needs to be
auth required pam_tally2.so deny=5 onerr=fail audit silent account required pam_tally2.so
You'll also need to change:
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_unix.so nullok try_first_pass
And get rid of the following two lines as they will interfere with the rest of the changes:
auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
Information about users password tally can be found in
[[email protected] ~]# /sbin/pam_tally2 --user username --reset
unlock_time=1800. This allows the user to log back in
half an hour after the account has been locked.