KB Article #175824
Can stricter password rules be enforced on Gateway Appliance users?
Problem
Can stricter password rules be enforced on Gateway Appliance users?Resolution
Yes the Gateway Appliance is based on Oracle Linux 5 and contains the pam_cracklib module which is very flexible at setting up custom site password requirements.The configuration is found in /etc/pam.d/system-auth and by default it looks like this :-
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
pam_cracklib in conjuction with pam_unix modules can provide -
Simple checks - minimum length, number of different characters, prevents rotations or case change
Strength - using a credit system for combinations of lower-case, upper-case, numeric (digit), and non-alphanumeric (other) characters,
Dictionary Checks - pam_cracklib cheks the user's password against it's own internal dictionaries of weak passwords
Password history - pam_cracklib can consult a user's "history" of passwords to prevent using old user passwords. it's the pam_unix module that stores the old passwords.
Password expiration to force a user to change a password after so many days is set in the /etc/login.defs file
For more details consult man pam_cracklib and man /etc/login.defs