Linux Password Policy

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: The following examples are on a Red Hat Enterprise Linux AS 4 system. === Password Aging === * ''/etc/login.defs'' for new accounts. # Password aging controls: # # PASS_MAX_DAYS...)
m (What happens when your password expires?)
Line 19: Line 19:
When your password expires:
When your password expires:
-
* If the account is inactive (see ''chage -I'' and the 7th field in ''/etc/shadow''), you will be unable to login and your password will have to be manually reset by an administrator.
+
* If the account is inactive (see '''chage -I''' and the 7th field in ''/etc/shadow''), you will be unable to login and your password will have to be manually reset by an administrator.
e.g., ''/var/log/messages''
e.g., ''/var/log/messages''

Revision as of 20:42, 4 December 2007

The following examples are on a Red Hat Enterprise Linux AS 4 system.

Contents

Password Aging

  • /etc/login.defs for new accounts.
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.

Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. Note that if minlen= is not specified in pam_cracklib, I believe the default minimum password length is 6 characters.

  • /usr/bin/chage for existing accounts.

What happens when your password expires?

When your password expires:

  • If the account is inactive (see chage -I and the 7th field in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

e.g., /var/log/messages

Dec  4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
  • If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted and you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password: 
New UNIX password:
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
Connection to host closed.

Password Complexity

Password History

Personal tools