Setting min passwd length and min passwd change date

[Rick_Smith]

How,

To:
1)enforce password changes every 90 days
2)a minimum password length of 8 characters

We are running CentOS 5.3 through 5.6

[Rick_Smith]

Also, what happens to existing users who have pass_len less than 8 characters

[Rick_Smith]

Well, I looked at some older posts on this topic, and they are marked "resolved", but, did not help me.....

This is what I have in my /etc/pam.d/passwd


auth include system-auth
account include system-auth
password required pam_cracklib.so minlen=8

I also tried:

auth include system-auth
account include system-auth
password required pam_cracklib.so minlen=8
password required pam_unix.so use_authtok

[Rick_Smith]

Okay - sorry to cause alarm - but that worked. Now my issue is how to get a user to change password at first login, that is to say we asssign them a temporary password with which they login and then we force them to change their password per the rules in /etc/pam.d/passwd

Please advise.

[AlanBartlett]

From [b]man passwd[/b] --

[code]
OPTIONS

[i]<snip>[/i]

-e This is a quick way to expire a password for an account. The user will be forced to change the password during the next login
attempt. Available to root only.

[i]<snip>[/i]
[/code]
So when first setting up the user's account and defining the initial password use the relevant variant of --

[code]
[b]passwd -e [i]user_name[/i][/b]
[/code]

[Rick_Smith]

[code]
[root@localhost pam.d]# passwd -e Rick
passwd: bad argument -e: unknown option
[root@localhost pam.d]# passwd Rick -e
passwd: bad argument -e: unknown option
[root@localhost pam.d]# cat /etc/redhat-release
CentOS release 5.6 (Final)
[root@localhost pam.d]#
[/code]

[AlanBartlett]

:oops: Oops . . . You are using [i]CentOS 5[/i] and I was looking at [i]RHEL 6[/i]!

It seems that the only way to achieve the desired effect, is to use the [b]-x[/b] command line flag to the [b]passwd[/b] command. Set the maximum lifetime of the password to the minimum possible and once the user has been forced to change her/his initial password, reset the password maximum lifetime value to your established default.

[Rick_Smith]

Thanks Alan, that seems to be a round about way of going about things in an Enterprise business which we are. There does seem to be no better way, I guess we could give them an "obtuse" password to begin with and that will force them to change it to something they like(with the caveats of at least 8 characters long, one uppercase, one lowercase and one digit).

However, this leads me to my second question, how to set password expiration to 90 days AND give the user the option to change their password at first login. I am getting messages like "it's too soon to change youtr password, etc"

Thanks in advance.

[Rick_Smith]

This works:

[root@CentOS6 pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0 minclass=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@CentOS6 pam.d]#

NOTE: the line I changed(appended to) is this: password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0 minclass=3

instead of "requisite", should I have "required"

But I am concerned about the first line in the file: "# User changes will be destroyed the next time authconfig is run."

Does authconfig run at every reboot, when does authconfig run?

Regards,

[AlanBartlett]

Not having a [i]CentOS 5[/i] system available with which to check, I will suggest that you have a look at the contents of your [b]/etc/sysconfig/authconfig[/b] file and the manual page for authconfig ([b]man authconfig[/b]).