In the previous tip, I explained about passphrases and how you can enable them on Red Hat hosts. In this tip, I will explain how to configure the pam_passwdqc PAM module to enforce your chosen passphrase policy.
Like the pam_cracklib module, the pam_passwdqc module tests the integrity of your passwords or passphrases and passes the new authentication token on to your password/passphrase changing module. On Red Hat, this is usually the pam_unix module (your password changing module needs to have the use_authtok option set to accept the new authentication token).
You can see an example of the use of the pam_passwdqc module on the following line:
password required pam_passwdqc.so min=disabled,24,12,8,7 max=40 passphrase=3 similar=deny retry=3
The first option, min, controls the minimum length for passwords and passphrases. Five minimum length variables in the option can be configured or disabled by specifying the "disabled" keyword. Each length must not be larger than the preceding length. The variables are:
- The minimum length of passwords that have characters from only one class (where the classes of characters are digits, lower-case letters, upper-case letters and other). The default is to disable passwords containing only one class of characters.
- The minimum length of passwords that have characters from two character classes; the default is 24 characters.
- The minimum number of words that a passphrase must contain; the default being 12 words.
- The last two variables control the minimum length of passwords with characters from three and four character classes respectively; the defaults are eight and seven.
When calculating the number of character classes, an upper-case character used as the first character and digits used as the last characters of a password are not counted.
The next option, max, controls how long passwords are allowed to be. The max option defaults to 40 characters. Specifying a value of eight has the special effect of truncating passwords to eight characters. This allows support for traditional DES password hashes and, hence, shouldn't be required for a Red Hat host.
The passphrase option specifies the number of words required for a passphrase. The default number is 3 or you can specify 0 to disable user-chosen passphrases.
The following option, similar, controls whether the password is allowed to be similar to the old one. It can be set to permit or deny; the first allows similar passwords and the second denies them.
The last option, retry, specifies the number of times the module will ask for a new password if the user fails to provide a sufficiently strong password; it defaults to three.
So, in our example, a valid password would contain a mix of upper and lower case characters, digits and other characters. An eight-character password would need characters from at least three of these four classes, and a seven-character password would need to contain characters from all classes. By default, an uppercase letter that begins a password and a digit ending it do not count towards the number of character classes used. Passphrases are also enabled and need to contain at least three words, be 12 to 40 characters long and contain sufficiently different characters. The module will recommend a potential passphrase that matches this pattern that you could use.
A number of other configuration options are available for the pam_passwdqc module that you can see by examining the module's man page.
James Turnbull is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and storage systems. He has been involved in security consulting, infrastructure security design, SLA and service definition and has an abiding interest in security metrics and measurement.
