Enforce password policy on Linux

Hi,
I am supposed to enforce password policy on some RedHat systems. That
is:
- make sure that passwords consist of at least 3 digits
- make sure that passwords consist of at least 3 letters
- make sure that passwords consist of at least 1 special caracter

Is there a config file where you can implements these requirements? In
/etc/login.defs you can just play around with min./max age and min.
length of the password.

Thanks
Per Arve

Nico Kadel-Garcia <nkadel@verizon.net> writes:

> Per Arve wrote:
>
> > Hi,
> > I am supposed to enforce password policy on some RedHat systems. That
> > is:
> > - make sure that passwords consist of at least 3 digits
> > - make sure that passwords consist of at least 3 letters
> > - make sure that passwords consist of at least 1 special caracter
> > Is there a config file where you can implements these requirements?
> > In
> > /etc/login.defs you can just play around with min./max age and min.
> > length of the password.
> > Thanks
> > Per Arve
>
> There are, unfortunately, a bunch of ways to change passwords under
> Linux systems. Enforcing this kind of rule would have to be
> implemented with a tool that they are *forced* to use.

There is a PAM module[1] at http://www.openwall.com/ which does
configurable password quality control (pam_passwdqc) - the internal
checking is easy to borrow if you don't want to use PAM.

Sorry, I don't know how to enforce that this is always used - that's
not an issue at my site.

cheers,
Jamie

[1] redundant I know, but it just sounds wrong without it.
--
James Riden / j.riden@massey.ac.nz / Systems Programmer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.

Begin of quotation of someone named perarve@hotmail.com (Per Arve):

> >
> > There are, unfortunately, a bunch of ways to change passwords under
> > Linux systems. Enforcing this kind of rule would have to be implemented
> > with a tool that they are *forced* to use.
> >
> > Hmm. Are you in a shared environment where you can publish passwords
> > from a central server that forces the use of a specific tool, such as
> > NIS or LDAP with a web client?
>
> The systems are supposed to be standalone systems, NIS or LDAP can't be used.


Yank the source of /usr/bin/passwd, define your input-checks, re-compile en
put it back in the system.

Or
rename passwd > passwd-2, write a wrapper (name it login for obvious
reasons) that checks the input and passes on it to login-2.

Or
Find a suitable tool on Sourceforge or from an commercial vendor.

Or
Since you use Red-Hat, it allreade uses PAM to wrap logins,
so configure PAM to your linkings.


cor


--
Operatingsystem is just a name you gave to the rest of those idiosyncratic
machine-related features you left out of your editor.
Computers are so dumb, only 10 Genius + 10 Madman Grok it, I'm all four.
(setq reply-to(concatenate 'string "Cor Gest ""<cor" '(#\@) "clsnet.nl>"))