Enforce Password Complexity Policy On Ubuntu 18.04

0
5405

Hello folks. Today, we are going to learn how to enforce password complexity policy on Ubuntu 18.04. As you realize, the traditional way of using passwords is still the major method of authenticating to various services. As a result, it is a good idea for every system admin to ensure that strong password policy is enforced since it is always the first line of defense security wise.

Enforce Password Complexity Policy On Ubuntu 18.04

In this guide, we are going to learn how to use the Pluggable Authentication Module (PAM) to enforce password complexity policy on Ubuntu 18.04. PAM is an authentication and security framework that is used to set authentication policies for specific applications/services in Linux system. Note that any error in PAM configuration may completely disable access to a system service. Hence, be sure on the configs.

Are you also looking at protecting single user mode with password on Ubuntu 18? See our previous article on how to by following the link below;

Install PAM on Ubuntu 18.04

In order to enforce password complexity policy on Ubuntu 18.04, you need to have pam_pwquality module that is provided by the libpam_pwquality library. This module checks the strength of the password against a system dictionary and a set of rules for identifying poor choices. It replaces the libpam_cracklib module. Run the command below to verify if PAM pwquality library is installed on Ubuntu 18.04;

apt-cache policy *pam-pwquality*
libpam-pwquality:
  Installed: (none)
  Candidate: 1.4.0-2
  Version table:
     1.4.0-2 500
        500 http://ke.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

As you can see from the output above, no PAM pwquality library is installed. Hence, if it is not installed, you can install it as shown below;

apt install libpam-pwquality

Now that we have the right module in place, let us see how to enforce password complexity policy on Ubuntu 18.04 with pam_pwquality module. To enforce password complexity policy on Ubuntu 18.04, you need to edit the /etc/pam.d/common-password configuration file. However, make a copy of this file before you make any adjustments.

cp /etc/pam.d/common-password /etc/pam.d/common-password.original

There are different options that can be passed to the pam_pwquality to enforce password complexity policy on Ubuntu 18.04. Some of the options that we are going to use in this guide include dcredit, ucredit, lcredit, ocredit, minlen, reject_username, enforce_for_root, retry.

Once you have made the backup of the /etc/pam.d/common-password configuration file, open it for editing. Find the line below;

password        requisite                       pam_pwquality.so retry=3

Comment it and replace with the line below;

password        requisite                       pam_pwquality.so retry=3 minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root

Below is a description of the options used;

retry=3: This options sets a number of times you are prompted to enter a right password before the returning an error. This is set to 3 in this case.
minlen=8: Sets the minimum acceptable size for the new password.
difok=3: Specifies the number of characters that should be similar to the characters in the previous password.
lcredit=-1: Sets the minimum number of lower case letters that the password should contain.
ucredit=-1: Sets the minimum number of upper case letters on a password.
dcredit=-1: Sets the minimum number of digits to be contained in a password.
ocredit=-1: Set the minimum number of other symbols such as @, #, ! $ % etc on a password.
reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
enforce_for_root: Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway.

Note that when setting the password credits, the negative number sets the minimum value while the positive number sets the maximum values.

If you need to see more options for enforcing password complexity, run man pam_pwquality.

Test the Password Complexity enforcement

To test this, as a user amos, am going to try 3 password that doesn’t meet the requirements above (At least 8 characters, a digit, a lower case, a symbol and an upper case letter).

[email protected]:~$ passwd
Changing password for amos.
(current) UNIX password: 
New password: 
BAD PASSWORD: The password is too similar to the old one
New password: 
BAD PASSWORD: The password contains less than 1 digits
New password: 
BAD PASSWORD: The password contains less than 1 non-alphanumeric characters
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged

Next, am going to use a more complex password that meets the above defined policy: [email protected].

[email protected]:~$ passwd
Changing password for amos.
(current) UNIX password: amos123
New password: [email protected] Retype new password: [email protected] passwd: password updated successfully

Test the password change as root user.

[email protected]:~# passwd amos
New password: 
BAD PASSWORD: The password contains less than 1 uppercase letters
New password: 
BAD PASSWORD: The password contains less than 1 digits
New password: 
BAD PASSWORD: The password contains less than 1 non-alphanumeric characters
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
[email protected]:~# passwd amos
New password: [email protected]
Retype new password: [email protected]
passwd: password updated successfully

That is it. That is all it takes to enforce password complexity policy on Ubuntu 18.04. We hope this was informative. Enjoy

LEAVE A REPLY

Please enter your comment!
Please enter your name here