Results 1 to 2 of 2
I'm having an issue with password controls. I'd like to avoid installing additional PAM's if I can. I'd like to use RedHat's built-in functionality for applying some control on passwords. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 06-02-2005 #1
- Join Date
- Jun 2005
Linux Password Controls
I'm having an issue with password controls. I'd like to avoid installing additional PAM's if I can. I'd like to use RedHat's built-in functionality for applying some control on passwords. Please keep in mind that I'm an extreme newbie, so I tend to need more explaining.
Systems: RedHat 8.0 & RedHat 9.0
Here's what I have done so far. I have created a user with the following:
I want the user to log on to the system for the first time using a password I supply to him (in this case "pass123456$"), and be forced to change that password by the system. I want the system to force the user's password to be:
1 - 11 chars in length, or longer
2 - Contain 1 number
3 - Contain 1 special char like "$"
I also want all future password changes that the user invokes, or that the system forces, to follow those rules. So far, I've edited the file "/etc/pam.d/system-auth" to show the following:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=11 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
I've also tried several variations of this, such as "minlen=10 dcredit=1 ocredit=1".
I have tried running the following commands to force a change at initial login:
usermod –L scott
chage –d 0 scott
usermod –p “” scott
The commands above DO force the user to change his/her pass at first login, but it removes the password I previously set and doesn't require an initial password. This is NOT what I want. I want the user to have to enter the password that I give him, THEN be forced to change it.
More importantly, the password rules I set in "/etc/pam.d/system-auth" do not apply. User "scott" can successfully change his/her password to "helloworld" when he logs on, which shouldn't be the case.
Last, but not least, I would love to know how to get the user's account locked out for a period of 15 minutes after 3 consecutive, unsuccessful logons.
Any help you can provide would be greatly appreciated. Thanks!,
- 06-02-2005 #2
log in as root, with your session being KDE (not sure how to do it in anything, i have too a noob) go to the control center, and look around in that. i was playing around with it last night and came across that. i would get the exact location for ya, but i am at work right now and we have windows here. i will look when i get home if no one else has answered you by then. should be easy to find though, look around in the security sectionToday I fell and felt better, Just knowing this matters, I just feel stronger and SHARPER!!!, Found a box of sharp objects, What a beautiful THING!!! Box of Sharp Objects - The Used