Setting Up Complex Password Requirements with PAM (Pluggable Authentication Modules)

Password policies are an important aspect of information security, as they help to ensure that users choose strong and secure passwords to protect their accounts and data. Pluggable Authentication Modules (PAM) are a widely used mechanism for enforcing password policies on Unix-like systems. In this article, we will discuss how to use PAM modules such as pam_pwquality and pam_cracklib to enforce password complexity requirements for LDAP accounts on a Unix-like system. We will also discuss the differences between pam_pwquality and pam_cracklib, and how to use them to meet the password policy requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Moderate baseline.

Defining Requirements Manually

The pam_pwquality.so module is a Pluggable Authentication Module (PAM) that can be used to enforce password policies on Unix-like systems. It provides a number of options that can be used to customize the password policy, including:

• minlen: Sets the minimum password length.
• dcredit: Sets the number of digits required in the password.
• ucredit: Sets the number of uppercase characters required in the password.
• ocredit: Sets the number of other characters required in the password (i.e., characters that are neither digits nor uppercase letters).
• lcredit: Sets the number of lowercase characters required in the password.
• minclass: Sets the minimum number of different character classes required in the password (i.e., digits, uppercase letters, and other characters).
• maxrepeat: Sets the maximum number of times a character can be repeated in the password.
• maxsequence: Sets the maximum length of a monotonic character sequence allowed in the password (e.g., "abc" or "1234").
• gecoscheck: Enables or disables checking of the password against the user's GECOS field (i.e., the full name and other information stored in the /etc/passwd file).
• dictionary: Specifies the path to a dictionary file to use for checking the password against a list of common words.

These options can be specified in the /etc/pam.d/common-password file or on the command line when running the pam-auth-update command. For example, to set the minimum password length to eight characters and the minimum number of different character classes to three, you can include the following line in the /etc/pam.d/common-password file:

Deploying the Configuration to All Machines with Ansible

To create an Ansible playbook that sets the password policy for a Debian system to enforce an 8-character password, you can use the following steps:

1. Create a new playbook file using your preferred text editor, such as vi or nano.
2. In the playbook file, define the hosts that you want to apply the password policy to by using the hosts keyword. For example:

---
- hosts: all
  become: true
  tasks:

3. Next, you can use the lineinfile module to update the /etc/pam.d/common-password file and set the pam_pwquality.so parameters to enforce a minimum password length of 8 characters. You can do this by adding the following task to your playbook:

  - name: Set password policy
    lineinfile:
      path: /etc/pam.d/common-password
      regexp: '^password.*pam_pwquality.so'
      line: 'password        required        pam_pwquality.so minlen=8'

4. Save the playbook file and then run it using the ansible-playbook command, specifying the playbook file as an argument. For example:

ansible-playbook password_policy.yml

This will apply the password policy to all the hosts defined in the hosts field of the playbook.

For more details, GO LEARN ANSIBLE!

Configuring PAM for NIST 800-53 Requirements

From here we can easily create a configuration to meet NIST 800-53 guidance.  The NIST SP 800-53 Moderate baseline specifies a set of security controls and requirements for systems that handle sensitive, but unclassified information.

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is a widely recognized set of guidelines for securing information systems and organizations. It includes a number of security controls that relate to password management, including:

• CM-6: Use of passwords to authenticate users.
• IA-5(1): Password management policy.
• IA-5(2): Password complexity.
• IA-5(3): Password expiration.

To meet the password policy requirements of the NIST SP 800-53 Moderate baseline using the pam_pwquality.so module, you can use the following configuration:

This configuration specifies the following password policy requirements:

• Minimum password length of 14 characters.
• Minimum of 3 different character classes (digits, uppercase letters, and other characters).
• Maximum of 2 repeated characters.
• Maximum of 3 characters in a monotonic sequence.
• No minimum requirement for digits, uppercase letters, lowercase letters, or other characters.

To fully support the password management security controls in the NIST SP 800-53, you may need to use additional tools or measures in addition to the pam_pwquality.so module. For example, you could use a password expiration tool such as passwd or chage to enforce password expiration policies, or you could use a password management tool such as pam_cracklib or pam_pwhistory to provide additional password policy options and checks.

Should I Use pam_cracklib or pam_pwquality?

The pam_cracklib and pam_pwquality modules are both Pluggable Authentication Modules (PAM) that can be used to enforce password policies on Unix-like systems. Both modules provide a number of options for customizing the password policy, including options for setting minimum password length, minimum and maximum repeat counts, and minimum requirements for different character classes.

However, there are some differences between the two modules:

• pam_cracklib is based on the cracklib library, which was developed to check passwords against a dictionary of common words and generate "hints" for creating stronger passwords. pam_pwquality, on the other hand, is based on the libpwquality library, which was developed to provide a more comprehensive set of password policy options and checks.
• pam_cracklib provides options for checking passwords against a dictionary file and rejecting common words, while pam_pwquality does not have a built-in dictionary check. However, pam_pwquality does provide the dictionary option, which allows you to specify a path to a dictionary file to use for checking the password.
• pam_cracklib provides the reject_username option, which allows you to reject passwords that are based on the user's username. pam_pwquality does not have a similar option.
• pam_pwquality provides the gecoscheck option, which allows you to check the password against the user's GECOS field (i.e., the full name and other information stored in the /etc/passwd file) and reject the password if it matches any of the words or phrases in the GECOS field. pam_cracklib does not have a similar option.

In general, pam_pwquality provides a more comprehensive set of password policy options and checks than pam_cracklib. However, pam_cracklib may be a good choice if you only need to enforce a basic password policy and want to check passwords against a dictionary of common words. You can use either module, or a combination of both, to enforce password policies on your system.

PAM Modules Can Enforce Upstream Password Requirements to an LDAP Server

A Pluggable Authentication Module (PAM) can enforce password complexity requirements for LDAP accounts on Linux systems.  To do this, you can use a PAM module such as pam_pwquality or pam_cracklib that provides options for setting password complexity requirements. You will need to include the PAM module in the system's authentication configuration, typically by modifying the /etc/pam.d/common-password file or by using the pam-auth-update command.

When a user changes their password on a Linux system, the system's authentication process typically includes the following steps:

1. The user enters their current password and the new password.
2. The new password is passed to the PAM modules specified in the system's authentication configuration.
3. The PAM modules check the new password against the password policy requirements and either accept or reject the password.
4. If the password is accepted, the system updates the password on the local system and, if necessary, on the LDAP server.

So, if you use a PAM module such as pam_pwquality or pam_cracklib to enforce password complexity requirements, the requirements will be checked before the password is changed on the LDAP server. If the password does not meet the requirements, the PAM module will reject the password and the user will need to choose a new password that meets the requirements.

In Conclusion ...

In conclusion, PAM modules such as pam_pwquality and pam_cracklib are powerful tools for enforcing password policies on Unix-like systems. They provide a range of options for customizing the password policy, including options for setting minimum password length, minimum and maximum repeat counts, and minimum requirements for different character classes. By using PAM modules to enforce password complexity requirements, you can help to ensure the security and strength of passwords on your system.

To learn more about PAM modules and password policy management, you can refer to the following resources:

• The man pages for pam_pwquality and pam_cracklib, which provide detailed documentation for these modules.
• The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, which provides guidelines for securing information systems and organizations.
• The pam and pam-auth-update man pages, which provide information on how to use PAM modules and manage the system's authentication configuration.

By following best practices and using appropriate tools and measures, you can help to ensure the security and strength of passwords on your system and protect your accounts and data from unauthorized access.