RHEL7 How to configure password policies based on UID (ranges)

Tomas Mraz tmraz at redhat.com
Thu Feb 23 10:07:40 UTC 2017


On Thu, 2017-02-23 at 05:53 +0000, Juha A. wrote:
> Hi,
> 
> 
> I would need to configure different password policy based on the
> users UID.
> 
> For example:
> 
> - UID 1000-1999: Minimum Password Length = 15, 3 different character
> classes
> 
> - UID 2000-2999: Minimum Password Length = 20, 4 different character
> classes
> 
> 
> The /etc/security/pwquality.conf does not seem to have a way to
> configure different rules based on UID, but I was also unable to get
> system-auth/password-auth to work properly.
> 
> 
> Would anyone have advice on how to achieve the above?


You could configure the PAM stack so that there would be two
pam_pwquality lines with different options and skip over them with
pam_succeed_if modules and jumps.

something like this: (untested, just for inspiration)

password    [success=2 default=ignore] pam_succeed_if.so uid >= 2000
password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= minlen=15 minclass=3
password    [success=1 default=ignore] pam_permit.so
password    requisite     pam_pwquality.so try_first_pass retry=3 authtok_type= minlen=20 minclass=4

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)




More information about the Pam-list mailing list