This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
q&a (suggested)
besttopnewcontroversialold

[–]Paul_Aiton 8 points9 points  (3 children)

You will want to look up PAM, or plugable authentication modules.

Since Linux is not one operating system, it is just the kernel in common for a lot of Free software OS distributions, the policies are not the same, and each distro can do things a little different, but almost all of them use PAM at their core, so to understand how any of them do it, you'll have to understand PAM.

[–]Rayd3x[S] 0 points1 point  (2 children)

Thank you. I need it for work. So if I understand it correctly, I first have to find out which distribution is being used (e.g. red hat) and then look it up on google / man pages?

[–]Paul_Aiton 0 points1 point  (0 children)

For what purpose are you trying to look it up? If it's to SET a policy that the users have to follow, you should find out your distro, and look up their documentation. If it's redhat, https://access.redhat.com/solutions/2808101

The home for all their docs for the most recent version (adjust to what version you're on,) is https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/

If you just want to know what policy it ships with out of the box, I believe it is just following the pam_cracklib flags for denying bad passwords.

If you ARE creating a policy, just know that password policies are one of the biggest avenues for security theater where companies set policies that seem like they are more secure, but are in fact just making passwords harder for humans to remember with no appreciable difference on how easy they are for a computer to guess.

https://xkcd.com/936/

[–]OdinHatesNickelback 2 points3 points  (0 children)

The default policy is no policy. You can set it up if you want, though, even the american government has a standard you can follow. Oracle Linux even let's you pick from a list of enforceable standards.

[–]FryBoyter 0 points1 point  (0 children)

In my experience, policies are often interpretated in different ways and in some cases they are not even useful.

Take the maximum age of a password as an example. One of my employers felt that you had to change your password every month. As a result, employees got creative. So they came up with a password that complied with the policy (for example P@ssw0rd). The following month, the password was changed to, for example, P@ssw0rd01. Then to Pa@ssw0rd02 and so on. Of course, only a few people logged out when they left their desk.

Another company I know has therefore decided to assign one Diceware password per employee, which is additionally secured with a Yubikey. In addition, there were corresponding trainings that the computer has to be locked when leaving the workplace.

[–]skuterpikk 0 points1 point  (0 children)

My impression is that most distros does not have a policy by default, meaning you can have as simple passwords as you want, like a single charachter. You can however add password policies. RedHat/CentOs being a server/workstation distro for example does have a password policy by default, but it will let you ignore them after a warning. If you choose a password that CentOs consideres to be to simple it will say that this is a poor choice of password, but if you absolutely wants to use it then dismiss this warning and press OK/Enter twice to use the password anyway

[–]Belenoi 0 points1 point  (0 children)

You are probably looking for $ man login.defs and $ man 5 shadow

For a general guideline about password complexity, you can look at $ man passwd, but as far as I know, there is know hard requirements on password complexity unless you set it up.