How to Setup Strong Password Policy on Ubuntu Linux

|

|

The tutorial provides instructions on how to establish a strict password policy on Ubuntu 18.04 or 16.04. This includes configuring password expiry rules and using the pam_pwquality module to enforce various restrictions such as password length, repetition of characters, and mandating both upper and lower case characters. This enhances the system’s security against potential attacks.

This brief tutorial shows students and new users how to set up a firm password policy on Ubuntu 18.04 | 16.04.

Out of the box, Ubuntu machines are not set up with an advanced password policy. Any password, including weak ones, can be used and never expire. This may not be secure in some environments.

To configure a more secure password policy and protect your users from hackers and intrusions, you need to take some steps, and this post shows you how to do that.

Ubuntu is an open-source Linux operating system that runs on desktops, laptops, servers, and other devices.

When you’re ready to set up a firm password policy on Ubuntu, follow the steps below:

Ensure Passwords Expire

In most business environments, user passwords are configured to expire every 60 to 90 days. Desktop users are not configured like business environments so that a single password can be used forever.

If you want to configure Ubuntu to force users to change passwords regularly, you can run the commands below to open the login. defs file.

sudo nano /etc/login.defs

For example, if you want the account password to be changed every 60 days and several days before it changes again, edit the highlighted lines in the file.

You can also set the number of days a warning is given before a password expires.

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   60
PASS_MIN_DAYS   1
PASS_WARN_AGE   7
.

Save the file and exit.

Configure PAM Password Module

A PAM module called pam_pwquality can be included with Ubuntu to require strong passwords for system users. pam_pwquality performs several basic checks, just like the old pam_cracklib module, including not allowing passwords to include a username from the GECOS field, rejecting passwords with more than N number of characters, and many other password-related checks.

To install and use the pam_pwquality module, run the commands below:

sudo apt install libpam-pwquality cracklib-runtime

pam_pwquality main configuration file is at /etc/pam.d/common-password. Run the commands below to edit the file.

sudo nano /etc/pam.d/common-password

A reasonable password requirement will follow similar guidelines.

  • Allow N number of retries before returning error [retry=3]
  • Set a minimal password length [minlen=8]
  • Set N number of repeated characters [maxrepeat =3]
  • Password must have uppercase characters [ucredit = -1]
  • Password must have lowercase characters [dcredit=-1]
  • Reject password with account name found in GECOS [gecoscheck=1]

Edit the highlighted line and add some of the requirements above to enforce.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so

Make the above changes that fit your environment. When done, reboot your machine, and the changes above should apply.

That’s it!

Conclusion:

This post showed you how to set up a firm password policy on Ubuntu 18.04 | 16.04. If you find errors in the above, please use the form below to report.

Thanks,

You may also like the post below:

Like this:



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.