Tag: password

Enforcing password complexity on CentOS

The pam_pwquality (previously pam_cracklib) module is used to check password complexity against a set of rules. It checks if the password is found in a dictionary; if not, it will continue with additional checks.

The config file is /etc/security/pwquality.conf but, if in use, it can be configured in /etc/pam.d/system-auth.

To add the password policies, just add the options you need in system-auth, on pam_pwquality.so line:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
  • minlen – minimum password lenght
  • lcredit – minimum number of lowercase letters
  • ucredit – minimun numer of uppercase letters
  • dcredit – minium number of digits
  • ocredit – minimum number of special characters

In this case, -1 means that the password must have at least one character of that type. You can change this number as you prefer.

If you need to enforce the policies even for the root user, use the enforce_for_root option.

You can also add policies using the authconfig command:

authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --update

Reset root password on CentOS

In the GRUB menu, select the kernel to edit and press e.

Go to the line starting with linux16 and add rd.break. You can remove rhgb quiet to see the boot process. Press Ctrl+x to boot in single user mode.

To access the system type mount -o remount,rw /sysroot and chroot /sysroot to treat sysroot as root directory.

Use passwd to change root password or pam_tally2 to unlock the account.

touch /.autorelabel to tell SELinux to do a restoreconf on next boot.

Exit and reboot.

Using sudo without password

When you issue a sudo command you will be asked to type your password to execute it and this can be quite annoying, especially for people like me that open the terminal every 3 minutes and don’t want to login as root every time.

To solve this “problem” you need to edit sudo’s configuration file, located in /etc/sudoers, but it’s not recommended to do it directly. To modify this file, you have to use visudo that makes a temporary copy of the sudoers file and checks for errors before saving.Continue reading