how to change the existing password settings on FC3

Ankush Grover ankush174 at gmail.com
Sun Apr 30 14:32:13 UTC 2006 

On 4/30/06, Stuart Sears <stuart at sjsears.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ankush Grover wrote:
> > On 4/30/06, Tim <ignored_mailbox at yahoo.com.au> wrote:
> > But how do I define complex password security that is forcing users to
> give
> > atleast 1 alphanumeric character, atleast 1 upper case character and
> there
> > should not be any first or middle or last name in the password.
> the first/middle/last name is more difficult than you imagine (unless
> these things form part of a users login name)
>
> For the other requirements:
> As was suggested, PAM is your friend here. There are two password
> strength checking modules that you could use here:
> pam_cracklib
> pam_passwdqc
> You really should read the documentation here:
> /usr/share/doc/pam-0*/ it's in both html and text format.
> pam_passwdqc has its own docs in /usr/share/doc/pam_passwdqc-*/README
>
> WARNING
> in both of these cases you are going to be editing *very* important
> system configuration files. It is fairly trivial to lock *all* users out
> of your system by messing up PAM configuration, so
> 1) back up the original file
> 2) keep a proper tty (a text login console) open with root logged into
> it while you work.
> 3) if you do mess it all up, reboot the system in single user mode and
> put the backed up file back in place.
>
> for system-wide password strength controls (ie ones that cover not only
> the passwd command but also passwords changed over ssh, on first login,
> using the GUI tool etc etc) you'll edit /etc/pam.d/system-auth
>
> for pam_cracklib you will want a line a little like this:
> password        required        pam_cracklib.so length=20 ucredit=3 \
> dcredit=3 ocredit=3 lcredit=3
>
> which means:
> a strong-enough password must score at least 20 points (length= is
> arguably a misnomer). the points are granted thus:
> 1 point per character, no matter what it is.
> 1 extra point per uppercase letter up to the maximum value given in
> ucredit.
> the same applies to lowercase (lcredit), digits (dcredit) and
> non-alphanumeric chars (ocredit).
>
> so in this case, a 20-char lowercase password is ok, but you can get
> away with shorter passwords by mixing characters.
> Mu?Pp3t_%5 has 10 chars
> +2 for uppercase chars = 12
> +3 other chars = 15
> +3 lower chars = 18
> +2 digits      = 20 points
>
> although this may be a little extreme. It already will check for words
> based on your username or dictionary words, so you wouldn't get away
> with a 20-char word from the system dictionary.
> Be wary of over-strong passwords. They will be counter-productive for
> ordinary users (in my experience)
>
> pam_passwdqc is more prescriptive and permits the use of passphrases
> (which I like).
> password        required        pam_passwdqc min=disabled,16,12,14,10 \
> max=30 passphrase=3
>
> basically it takes an argument like this
> min=A,B,C,D,E which represents the minimum length of passwords based on
> their makeup:
> A = passwords made up on one character class (ie lowercase only)
> B = passwords from 2 character classes
> C = characters in a passphrase
> D = 3 character classes
> E = 4 character classes
> (incidentally, caps at the start and numbers at the end don't count!)
>
> max = maximum possible password length
> passphrase = minumum number of words that *must* be in a passphrase
>
> there are plenty of other options too
>
> so in the example above:
> passwords must have at least 2 types of character in them
> passwords from 2 classes must be 20 chars long
> passphrases must be 12 chars long and contain at least 3 words
> passwords with 3 typs of char must be 14 chars long
> passwords using all 4 classes can be 10 chars long
>
> RTFM for more complex (!) explanations and the massive number of other
> options.
>
> you will probably also want to permit password aging (man chage)
> possibly failed login monitoring (pam_tally)
>
> hey Mr.Stuart,


Thanks for your guidance .



Thanks & Regards

Ankush Grover
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060430/4e04882d/attachment-0001.htm>

More information about the fedora-list mailing list