How to enforce password complexity policies in Linux

Introduction

Maintaining strong password policies is crucial for securing Linux systems. This tutorial will guide you through understanding the fundamentals of Linux password policies, configuring password complexity requirements, and enforcing these policies to enhance the overall security of your Linux environment.

Understanding Linux Password Policy Files

Linux systems use several configuration files to manage password policies. In this step, we will explore these files and understand their purpose in password management.

Exploring Password Policy Configuration Files

Let's start by examining the key configuration files that control password policies in Ubuntu:

First, open a terminal by clicking on the terminal icon in the desktop environment.
Let's look at the /etc/login.defs file, which contains basic password policy settings:
```
cat /etc/login.defs | grep "^PASS_"
```
You should see output similar to this:
```
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
```
These settings control:
- PASS_MAX_DAYS: Maximum number of days a password remains valid
- PASS_MIN_DAYS: Minimum number of days required between password changes
- PASS_WARN_AGE: Number of days of warning before password expiration
Another important file is /etc/pam.d/common-password, which manages the PAM (Pluggable Authentication Modules) settings for password authentication:
```
cat /etc/pam.d/common-password
```
This file contains multiple lines configuring how passwords are managed, including complexity requirements.
The system uses the pwquality library to enforce password quality. Let's check if it's installed:
```
dpkg -l | grep libpwquality
```
If it's not installed, we can install it:
```
sudo apt update
sudo apt install -y libpam-pwquality
```
Now, let's examine the password quality configuration file:
```
cat /etc/security/pwquality.conf
```
This file might have most lines commented out with #, which means default values are being used.

Understanding Password Policy Parameters

Here are the key parameters you can configure:

minlen: Minimum password length
dcredit: Credit for digits in password
ucredit: Credit for uppercase characters
lcredit: Credit for lowercase characters
ocredit: Credit for special characters
retry: Number of retries for entering a new password
enforce_for_root: Whether to enforce these policies for the root user

These parameters provide a comprehensive framework for controlling password complexity and security in your Linux system.

Configuring Basic Password Policies

In this step, we will configure basic password policies by modifying the /etc/login.defs file to set password aging requirements.

Setting Password Aging Parameters

Let's first make a backup of the original file:

sudo cp /etc/login.defs /etc/login.defs.backup

Now, open the file for editing using nano:
```
sudo nano /etc/login.defs
```
In the editor, look for these parameters (use Ctrl+W to search):
```
PASS_MAX_DAYS
PASS_MIN_DAYS
PASS_WARN_AGE
```
Change these values to implement a more secure password aging policy:
- Change PASS_MAX_DAYS from 99999 to 90 (passwords expire after 90 days)
- Change PASS_MIN_DAYS from 0 to 7 (minimum 7 days between password changes)
- Change PASS_WARN_AGE from 7 to 14 (warn users 14 days before password expiration)
Save the file by pressing Ctrl+O, then Enter, and exit with Ctrl+X.

Verify your changes:

cat /etc/login.defs | grep "^PASS_"

You should see:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   14

Testing the Policy on a New User

Let's create a test user to see how these policies apply:

Create a new user:
```
sudo useradd -m testuser
```
Set a password for the new user:
```
sudo passwd testuser
```
Enter a simple password when prompted (we'll strengthen it in later steps).
Check the password aging information for the new user:
```
sudo chage -l testuser
```
You should see that the password policies have been applied to this new user, showing the expiration date based on your settings.

Note that these changes only apply to new accounts or when a password is changed. Existing accounts maintain their previous settings until you update them manually.

Configuring Password Complexity Requirements

In this step, we will configure password complexity rules to enforce strong passwords on our system.

Setting Up Password Complexity Rules

First, let's make a backup of the PAM configuration file:

sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.backup

Now, open the file for editing:
```
sudo nano /etc/pam.d/common-password
```
Look for a line containing pam_pwquality.so. It may look something like this:
```
password        requisite                       pam_pwquality.so retry=3
```
Modify this line to add complexity requirements. Replace it with:
```
password        requisite                       pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 enforce_for_root
```
This configuration means:
- minlen=12: Minimum password length is 12 characters
- dcredit=-1: At least 1 digit is required
- ucredit=-1: At least 1 uppercase letter is required
- lcredit=-1: At least 1 lowercase letter is required
- ocredit=-1: At least 1 special character is required
- enforce_for_root: Apply these policies to the root user too
Save the file by pressing Ctrl+O, then Enter, and exit with Ctrl+X.

Configuring Additional Parameters in pwquality.conf

Now, let's modify the pwquality configuration file for additional controls:

sudo cp /etc/security/pwquality.conf /etc/security/pwquality.conf.backup
sudo nano /etc/security/pwquality.conf

Uncomment (remove the ## at the beginning) and modify these lines, or add them if they don't exist:
```
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
difok = 4
enforce_for_root = 1
```
The difok = 4 parameter requires at least 4 characters to be different from the previous password.
Save the file by pressing Ctrl+O, then Enter, and exit with Ctrl+X.

Testing the New Password Complexity Policy

Let's test our new policy by changing the password for our test user:
```
sudo passwd testuser
```
Try entering a simple password like password123. The system should reject it for not meeting the complexity requirements.
Now try a complex password that meets all requirements, such as Secure@Password123.

If you have configured everything correctly, the system should accept this password.

The complexity requirements ensure that users create strong passwords, making it harder for attackers to guess or crack them.

Implementing Password History Controls

In this step, we will configure password history controls to prevent users from reusing their recent passwords.

Configuring Password History

First, let's make a backup of the PAM configuration file if you haven't already:
```
sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.backup2
```
Open the file for editing:
```
sudo nano /etc/pam.d/common-password
```

Look for a line containing pam_unix.so. It might look like this:

password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512

Modify this line to add the remember parameter. Add remember=5 at the end of the line:
```
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
```
This will prevent users from reusing any of their 5 most recent passwords.
Save the file by pressing Ctrl+O, then Enter, and exit with Ctrl+X.

Understanding How Password History Works

The remember=5 parameter instructs the system to store the hashes of the last 5 passwords for each user. When a user attempts to change their password, the system compares the new password against these stored hashes to ensure it's not being reused.

The password history is stored in the /etc/security/opasswd file. Let's check if this file exists:

ls -la /etc/security/opasswd

If it doesn't exist, it will be created automatically when the first user changes their password with the new policy in place.

Testing Password History

Let's try changing the test user's password multiple times to see the history mechanism in action:
```
sudo passwd testuser
```
Set a complex password like Complex@Password1.
Now try to change it again immediately:
```
sudo passwd testuser
```
Try setting the same password again. The system should reject it due to the history policy.
Try this a few more times with different passwords, then try to reuse an earlier password. You should find that you cannot reuse any of your 5 most recent passwords.

This password history mechanism adds another layer of security by preventing password reuse, which is a common security weakness.

Applying Password Policies to Existing Users

In this final step, we will learn how to apply our new password policies to existing users and manage user password information.

Understanding Password Expiration Management

When you change password policies in /etc/login.defs, the new settings only apply to newly created users or when you manually update existing users. Let's see how to manage existing users:

First, check the current status of a user account:
```
sudo chage -l labex
```
This displays the password aging information for the current user.
To force a user to change their password at next login:
```
sudo chage -d 0 testuser
```
This sets the last password change date to 0, forcing a password change at next login.
To manually set the password expiration date:
```
sudo chage -E $(date -d "90 days" +%Y-%m-%d) testuser
```
This sets the account expiration date to 90 days from today.

Setting Maximum Password Age for Existing Users

To apply the maximum password age policy to an existing user:

sudo chage -M 90 testuser

This sets the maximum password age to 90 days for the user.

Setting Minimum Password Age for Existing Users

To apply the minimum password age policy to an existing user:

sudo chage -m 7 testuser

This sets the minimum password age to 7 days for the user.

Setting Password Expiration Warning for Existing Users

To apply the password expiration warning policy to an existing user:

sudo chage -W 14 testuser

This sets the password expiration warning period to 14 days for the user.

Viewing User Password Information

You can check a user's password information using several commands:

View all local user accounts:
```
cat /etc/passwd
```
Check password status for a specific user:
```
sudo passwd -S testuser
```
List users with a specific password setting:
```
awk -F: '($3 >= 1000) {print $1}' /etc/passwd
```
This lists all regular users on the system (UID >= 1000).

Applying Policies to All Users

To apply the new password policies to all regular users on the system, you could use a simple script. Here's an example:

for user in $(awk -F: '($3 >= 1000) && ($3 < 60000) {print $1}' /etc/passwd); do
  echo "Updating password policy for user: $user"
  sudo chage -M 90 -m 7 -W 14 $user
done

This script updates all regular users with our new password aging policies.

By applying these policies to existing users, you ensure consistent password security across your entire system.

Summary

In this lab, you have learned how to configure and enforce robust password policies in Linux. You have:

Explored the key configuration files that control password policies
Configured basic password aging policies to ensure regular password updates
Implemented strong password complexity requirements to enforce secure passwords
Set up password history controls to prevent password reuse
Learned how to apply password policies to existing users

These password policy configurations are essential for maintaining a secure Linux environment. By implementing strong password requirements, regular password rotation, and preventing password reuse, you have significantly improved the security posture of your system against unauthorized access and potential breaches.

Remember that effective password policies are just one aspect of a comprehensive security strategy. They should be combined with other security measures such as regular system updates, proper user management, and ongoing security monitoring.