3

I want to set the system-wide password policy on an Ubuntu 12.04 LTS server. Googling around, a lot of people point to this (very old) document:

https://help.ubuntu.com/10.04/serverguide/user-management.html

It says to edit the /etc/pam.d/common-password file and look for the password required line:

password    required    pam_unix.so nullok obscure min=6 max=8 md5

To set the minimum password length, adjust the min= setting.

However, on 12.04, my file looks like this (comments removed):

password    [success=1 default=ignore]  pam_unix.so obscure sha512
password    requisite           pam_deny.so
password    required            pam_permit.so

Which line do I change? The one with pam_unix.so? Or the one with password required? Or is it now in some other file? There's nothing in that file's comments about setting the password policies.

Improve this question

2 Answers 2

Reset to default
4

You need to change the first line password [success=1 default=ignore] pam_unix.so obscure sha512

But don't use md5 since the new one is using sha512. If you want to set a minimum password length (8) use the line below

password        [success=2 default=ignore]      pam_unix.so obscure sha512 min=8
Improve this answer
4

pam_unix is the PAM module that handles authentication with a user name and password, so that's where you would configure a password policy.

In the PAM configuration, the first column indicates the management group. Here, it's password, which configures updates of users' authentication data. The second column specifies the control flow between the different modules, don't touch it unless you know what you're doing. The third column is the module name and the subsequent columns are parameters to this module.

Look in the pam_unix documentation, or better in the pam_unix man page on your system, to see what options are supported. Add the options you want, e.g.

password    [success=1 default=ignore]  pam_unix.so obscure sha512 rounds=10000 minlen=8

You might want to add other modules to perform complexity checks on the password, such as pam_cracklib. Set pam_cracklib as required and put it before pam_unix (which validates the password change):

password    required                    pam_cracklib.so retry=3 difok=1 minlen=10
password    [success=1 default=ignore]  pam_unix.so obscure sha512 rounds=10000 minlen=8
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.