Server Security Checklist: Setting Password Policies in CentOS

Posted on

It’s almost a cliche that strong passwords are a necessity for a secure server. But it’s a cliche for a reason. We’ve long since passed the time when simple passwords can be brute forced. Now, even complex ones can be cracked with ease. I like to use a site like this one to give me an idea of how strong my password is. Chances are that even with special characters, you’ll find that most of your passwords are depressingly easy to crack.

Luckily, we can institute password policies in CentOS and other Linux distros. This tutorial will focus on CentOS and other RPM based systems. The password policies have undergone a bit of a change in recent versions, so let’s take a look at how it works.

Checking the Password Module in PAM

PAM stands for “Pluggable Authentication Module”. This architecture takes care of user authentication for multiple services, including the one used to change the password. The configuration file for system authentication is located at: “/etc/pam.d/system-auth” . If we open this with the vim or any other editor, we can see the following line:

The “” module tells us that password quality is being enforced. This will consist of some default rules out of the box. But we want to enforce some custom rules instead. But first, we need to understand the idea of credits.

The Password “Credit” System

Password complexity is determined by the “credit” system. You can specify that certain features award credits to the password. For example, we can say that if it has special characters like “:”, or “@”, then it will be awarded two credits. Same for numbers, upper case characters etc. These credits will be added to the total length of the password in order to determine the final credit score.

Since lower case characters are generally counted as having their own credit, you want to set the minimum length of the password to your desired minimum length + 1. This gives us a tremendous amount of flexibility with our password policies in CentOS.

Now that we understand how the credit system works, let’s see how to configure it.

Configuring Password Credits

The configuration file for password quality is located at “/etc/security/pwquality.conf”. Inside this, we can configure which password features assign credits, and even specify the minimum numbers of certain characters. By default, the entire file is commented out. All lines begin with a “#” sign. So let’s say we want to change the minimum length of the password, we need to uncomment the line starting with “minlen” like this:

Make sure there’s no space at the starting of the line, or the file won’t load. I’ve chosen an extreme example of the minimum password length being 22 characters. 22+1 = 23, so that’s the value of the “minlen” parameter. After saving the file, if I try and change my password to something less than 22 characters, it will give me an error as shown here:

It’s important to keep in mind that the root user has the power to over ride any kind of password restrictions. The passwd tool will only send some warnings, but will shut up at the end and allow you to use whatever you want. This doesn’t mean that your CentOS password policies via pwquality.conf are not working. Log in as a non-root user and try it instead.

Each parameter in pwquality.conf is self explanatory. You can set a positive number to add a certain number of credits for each password feature. A negative number on the other hand means that the password must have at least that many specified characters. For example, the “dcredit” parameter controls the number of digits. Having a line like:

dcredit = -2

Means that the password must contain at least 2 digits. Once you understand how this works, it’s trivial to create a password policy that exactly matches what you want. All you need to do is modify a single file, and you have complete control over the password policies in CentOS.

Leave a Reply

Your email address will not be published. Required fields are marked *