Source
* How to Setup Strong Password Policy on Ubuntu Linux
* DISABLE LINUX PAM MODULE FOR SPECIFIC USERS !
How to Setup Strong Password Policy on Ubuntu Linux
This brief tutorial shows students and new users how to set up a firm password policy on Ubuntu 18.04 | 16.04.
Out of the box, Ubuntu machines are not set up with an advanced password policy. Any password, including weak ones, can be used and never expire. This may not be secure in some environments.
To configure a more secure password policy and protect your users from hackers and intrusions, you need to take some steps, and this post shows you how to do that.
Ubuntu is an open-source Linux operating system that runs on desktops, laptops, servers, and other devices.
When you’re ready to set up a firm password policy on Ubuntu, follow the steps below:
Ensure Passwords Expire
In most business environments, user passwords are configured to expire every 60 to 90 days. Desktop users are not configured like business environments so that a single password can be used forever.
If you want to configure Ubuntu to force users to change passwords regularly, you can run the commands below to open the login. defs file.
sudo nano /etc/login.defs
For example, if you want the account password to be changed every 60 days and several days before it changes again, edit the highlighted lines in the file.
You can also set the number of days a warning is given before a password expires.
# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   60
PASS_MIN_DAYS   1
PASS_WARN_AGE   7
.Save the file and exit.
Configure PAM Password Module
A PAM module called pam_pwquality can be included with Ubuntu to require strong passwords for system users. pam_pwquality performs several basic checks, just like the old pam_cracklib module, including not allowing passwords to include a username from the GECOS field, rejecting passwords with more than N number of characters, and many other password-related checks.
To install and use the pam_pwquality module, run the commands below:
sudo apt install libpam-pwquality cracklib-runtime
pam_pwquality main configuration file is at /etc/pam.d/common-password. Run the commands below to edit the file.
sudo nano /etc/pam.d/common-password
A reasonable password requirement will follow similar guidelines.
- Allow N number of retries before returning error [retry=3]
- Set a minimal password length [minlen=8]
- Set N number of repeated characters [maxrepeat =3]
- Password must have uppercase characters [ucredit = -1]
- Password must have lowercase characters [dcredit=-1]
- Reject password with account name found in GECOS [gecoscheck=1]
Edit the highlighted line and add some of the requirements above to enforce.
# here are the per-package modules (the "Primary" block)
password        requisite                       pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
Make the above changes that fit your environment. When done, reboot your machine, and the changes above should apply.
That’s it!
Conclusion:
This post showed you how to set up a firm password policy on Ubuntu 18.04 | 16.04. If you find errors in the above, please use the form below to report.
DISABLE LINUX PAM MODULE FOR SPECIFIC USERS !
sudo groupadd <groupname>
sudo useradd <username> sudo usermod -a -G <groupname> <username>
3) Edit /etc/pam.d/sshd file and add the below statement to skip PAM module for the newly created group-
auth [success=done default=ignore] pam_succeed_if.so user ingroup <groupname>
Optional-
If full access is required for this new group then add below line to visudo file-
%<groupname>ALL=(ALL) NOPASSWD: ALL
When a user will be created and added to the new group, on first login MFA will be created but will not be enforced on further logins.
 
沒有留言:
張貼留言