Enforcing strong passwords in Linux using PAM (Pluggable Authentication Modules)


In this post I am going to share how can we force users to set strong passwords in Linux using pam_cracklib module in PAM.
It will help to provide security for all users on the system. 
Note: If root is changing password for any user then this policy will not effect for root user. Root will bypass the policy.
Example:

  • Prompt 2 times for password change else will error in case of an error
  • 8 characters minimum length (minlen option)
  • at least 6 characters should be different from old password when entering a new one (difok option)
  • at least 1 digit (dcredit option)
  • at least 1 uppercase (ucredit option)
  • at least 1 other character (ocredit option)
  • at least 1 lowercase (lcredit option)

Edit the /etc/pam.d/passwd file and enter
 as:
#%PAM-1.0
password required pam_cracklib.so retry=2 minlen=8 difok=6 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password required pam_unix.so use_authtok sha512 shadow

Sample Output:
File Content for /etc/pam.d/passwd


User tries to change password for simple format.