Is it possible to set user password policy based on group membership in Linux?

linux security passwords pam
5,762

You say that you know how to enforce a password policy system-wide, but I'll reiterate what to do for anyone who doesn't. You can use a PAM module, pam_cracklib.so, that checks to make sure a password meets certain criteria before allowing the password to be applied to an account. In Ubuntu, the package libpam-cracklib installs this module, and applies the following line to the top of /etc/pam.d/common-password, the file that deals with changing a user's password:

password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3

Various options can be passed to pam_cracklib.so, and in this case a minimum length of 8 is specified with a requirement of 3 character changes from the old password. See http://linux.die.net/man/8/pam_cracklib for a detailed list of every option available.

To limit one policy for a certain group of users, it is possible to utilise the pam_succeed_if.so module, that only succeeds if a user matches various criteria. For example, to enforce a password policy like the one above, but leaving users in the 'sudo' group exempt, use:

password    [success=1 default=ignore]  pam_succeed_if.so user ingroup sudo
password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3

This tells PAM to check if the user matches group 'sudo', then skip the next module if that succeeds. Otherwise, continue on with the next module, which enforces a password policy.

However, if using a PAM module with the option use_authtok like the default Ubuntu pam_unix.so configuration with pam_cracklib.so installed, this will not work quite right. Since pam_unix.so depends on a module previously to have set the current user password and desired password, should the pam_succeed_if.so module succeed then passwd will error out with passwd: Authentication token manipulation error. The way I got around it was to use a second pam_unix.so line:

password    [success=2 default=ignore]  pam_succeed_if.so user ingroup sudo
password    requisite           pam_cracklib.so retry=3 minlen=8 difok=3
password    [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512
password    [success=1 default=ignore]  pam_unix.so obscure sha512

In this example, should the user be in group 'sudo', control skips 2 modules down to the final pam_unix.so line which does not include use_authtok. Should it fail however, control passes to pam_cracklib.so, then to the dependent pam_unix.so

Share:
5,762

Related videos on Youtube

Amit Singh
Author by

Amit Singh

Updated on September 18, 2022

Comments

  • Amit Singh
    Amit Singh over 1 year

    I wanted to set a password restriction policy like minlen, maxage, minage etc…

    I know the way to do it system wide but can it be done for a particular group of users.

    I mean only users under group of admin should comply with these restriction and other users should comply these restrictions..

  • Amit Singh
    Amit Singh almost 11 years
    Great Help sir , I worked ..
  • Amit Singh
    Amit Singh almost 11 years
    I have 1 more query , I want that whenever user run passwd command it should display some banner like minimum length required =8 etc..
  • Xenopathic
    Xenopathic almost 11 years
    For this you can use pam_echo.so a module that simply echoes out a message. For example, to echo out the contents of a file that details what a good password is, use password optional pam_echo.so file=/usr/share/doc/good-password.txt, putting that line before any others in common-password.
  • Xenopathic
    Xenopathic almost 11 years
    Also, if the answer above worked for you, please don't forget to mark it as accepted

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

John the Ripper: Crack ZipCrypto password
Minimum password length is not working in Linux (RHEL7)
Prevent linux user from changing their password in ssh
Command line tool to generate memorable passwords?
How can I use PAM to restrict telnet login by user?
/etc/pam.d/login vs. /etc/pam.d/system-auth
Limiting Failed SSH Logins
How can I delay sshd login after bad password
The difference between /etc/pam.d/login and /etc/pam.d/system-auth?
Restrict login via user group in access.conf