-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ankush Grover wrote: > On 4/30/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: > But how do I define complex password security that is forcing users to give > atleast 1 alphanumeric character, atleast 1 upper case character and there > should not be any first or middle or last name in the password. the first/middle/last name is more difficult than you imagine (unless these things form part of a users login name) For the other requirements: As was suggested, PAM is your friend here. There are two password strength checking modules that you could use here: pam_cracklib pam_passwdqc You really should read the documentation here: /usr/share/doc/pam-0*/ it's in both html and text format. pam_passwdqc has its own docs in /usr/share/doc/pam_passwdqc-*/README WARNING in both of these cases you are going to be editing *very* important system configuration files. It is fairly trivial to lock *all* users out of your system by messing up PAM configuration, so 1) back up the original file 2) keep a proper tty (a text login console) open with root logged into it while you work. 3) if you do mess it all up, reboot the system in single user mode and put the backed up file back in place. for system-wide password strength controls (ie ones that cover not only the passwd command but also passwords changed over ssh, on first login, using the GUI tool etc etc) you'll edit /etc/pam.d/system-auth for pam_cracklib you will want a line a little like this: password required pam_cracklib.so length=20 ucredit=3 \ dcredit=3 ocredit=3 lcredit=3 which means: a strong-enough password must score at least 20 points (length= is arguably a misnomer). the points are granted thus: 1 point per character, no matter what it is. 1 extra point per uppercase letter up to the maximum value given in ucredit. the same applies to lowercase (lcredit), digits (dcredit) and non-alphanumeric chars (ocredit). so in this case, a 20-char lowercase password is ok, but you can get away with shorter passwords by mixing characters. Mu?Pp3t_%5 has 10 chars +2 for uppercase chars = 12 +3 other chars = 15 +3 lower chars = 18 +2 digits = 20 points although this may be a little extreme. It already will check for words based on your username or dictionary words, so you wouldn't get away with a 20-char word from the system dictionary. Be wary of over-strong passwords. They will be counter-productive for ordinary users (in my experience) pam_passwdqc is more prescriptive and permits the use of passphrases (which I like). password required pam_passwdqc min=disabled,16,12,14,10 \ max=30 passphrase=3 basically it takes an argument like this min=A,B,C,D,E which represents the minimum length of passwords based on their makeup: A = passwords made up on one character class (ie lowercase only) B = passwords from 2 character classes C = characters in a passphrase D = 3 character classes E = 4 character classes (incidentally, caps at the start and numbers at the end don't count!) max = maximum possible password length passphrase = minumum number of words that *must* be in a passphrase there are plenty of other options too so in the example above: passwords must have at least 2 types of character in them passwords from 2 classes must be 20 chars long passphrases must be 12 chars long and contain at least 3 words passwords with 3 typs of char must be 14 chars long passwords using all 4 classes can be 10 chars long RTFM for more complex (!) explanations and the massive number of other options. you will probably also want to permit password aging (man chage) possibly failed login monitoring (pam_tally) I reiterate, BE VERY CAREFUL WITH PAM SETTINGS sorry for shouting... Regards, Stuart - -- Stuart Sears RHCA RHCX To err is human, to forgive is Not Company Policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEVKYDamPtx1brPQ4RAqZIAJ9WD+Io89AbZfLTJEz97qKCNZ814wCfRhF9 XECXSMj1TVRtR/q2B0xmmu0= =6Za8 -----END PGP SIGNATURE-----
