Hardening System Password Policies In RedHat/Centos

How to enforce password complexity/expiration policy on CentOS 7/RHEL 7

Posted by vmt1991 on 10 Jan 2021
Linux-Unix

1/Set minimum password length:

Edit minlen variable in file /etc/security/pwquality.conf:

2/Set password complexity:

Edit some variable in file /etc/security/pwquality.conf:

+ maxrepeat: Max number same character can be  repeated in new password.

+ usercheck: Whether to check if it contains the user name in new password.

+ ucredit: If set value >0 mean maximum number of uppercase characters and if set <0 mean minimum number of uppercase characters in new password.

+ dcredit: Used for setup maximum/minimum digits in new password (setup same way as ucredit variable).

+ ocredit: Used for setup maximum/minimum special characters  in new password (setup same way as ucredit variable).

3/Set password expiration:

- Use for setup maximum days user can use password, maximum number days between password changes and number off days system give user a warning about password expires.

- Edit file /etc/login.defs

- But if change PASS_MAX_DAYS, PASS_MIN_DAYS and PASS_WARN_AGE only effect to new account add to system. With current accounts existing before change 3 above variable need use command chage to change password expiration policy for each accounts.

# lchage -l <username>: List password expiration policy and status account of a user

# chage -M <maxday> -m <minday> -W <warning day> <account>

- If system has too many account can do this job by 2 step (using scripting) as below:

+ List all system account to file for filtering only user account for setup password expiration policy (not effect to application account and OS account)

# cat /etc/passwd | awk -F ":" '{print $1}' > list_accounts.txt

+Review this file and only keep account related to user and need for setup policy

+Setup policy for these account by using this file as input of command chage

# for auser in `cat list_accounts.txt`; do chage -M 60 -m 3 -W 9 $auser; done

4/Set expiration specific time  for an account (Account expire):

# chage -E “mm/dd/yyyy” <account>

- Setup expiration for an account number of day from current time (create an account for partner but only working for a month)

# chage -E $(date -d +30days +%Y-%m-%d) <account>

# chage -E $(date +1months) <account>

5/Setup max login attempt for an account when using ssh connection:

- Edit file /etc/ssh/sshd_config and setup variable MaxAuthTries

6/Lock and unlock user account:

# passwd -l <account>

# passwd -u <account>