Is it possible to set user password policy based on group membership in Linux?
You say that you know how to enforce a password policy system-wide, but I'll reiterate what to do for anyone who doesn't. You can use a PAM module, pam_cracklib.so
, that checks to make sure a password meets certain criteria before allowing the password to be applied to an account. In Ubuntu, the package libpam-cracklib
installs this module, and applies the following line to the top of /etc/pam.d/common-password
, the file that deals with changing a user's password:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
Various options can be passed to pam_cracklib.so
, and in this case a minimum length of 8 is specified with a requirement of 3 character changes from the old password. See http://linux.die.net/man/8/pam_cracklib for a detailed list of every option available.
To limit one policy for a certain group of users, it is possible to utilise the pam_succeed_if.so
module, that only succeeds if a user matches various criteria. For example, to enforce a password policy like the one above, but leaving users in the 'sudo' group exempt, use:
password [success=1 default=ignore] pam_succeed_if.so user ingroup sudo
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
This tells PAM to check if the user matches group 'sudo', then skip the next module if that succeeds. Otherwise, continue on with the next module, which enforces a password policy.
However, if using a PAM module with the option use_authtok
like the default Ubuntu pam_unix.so
configuration with pam_cracklib.so installed, this will not work quite right. Since pam_unix.so
depends on a module previously to have set the current user password and desired password, should the pam_succeed_if.so
module succeed then passwd
will error out with passwd: Authentication token manipulation error
. The way I got around it was to use a second pam_unix.so
line:
password [success=2 default=ignore] pam_succeed_if.so user ingroup sudo
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_unix.so obscure sha512
In this example, should the user be in group 'sudo', control skips 2 modules down to the final pam_unix.so
line which does not include use_authtok
. Should it fail however, control passes to pam_cracklib.so
, then to the dependent pam_unix.so
Related videos on Youtube
Amit Singh
Updated on September 18, 2022Comments
-
Amit Singh over 1 year
I wanted to set a password restriction policy like
minlen
,maxage
,minage
etc…I know the way to do it system wide but can it be done for a particular group of users.
I mean only users under group of
admin
should comply with these restriction and other users should comply these restrictions.. -
Amit Singh almost 11 yearsGreat Help sir , I worked ..
-
Amit Singh almost 11 yearsI have 1 more query , I want that whenever user run passwd command it should display some banner like minimum length required =8 etc..
-
Xenopathic almost 11 yearsFor this you can use
pam_echo.so
a module that simply echoes out a message. For example, to echo out the contents of a file that details what a good password is, usepassword optional pam_echo.so file=/usr/share/doc/good-password.txt
, putting that line before any others in common-password. -
Xenopathic almost 11 yearsAlso, if the answer above worked for you, please don't forget to mark it as accepted