How to Enforce Password Expiration and Complexity on Linux Systems
Learn how to configure password aging and enforce complexity rules on Linux by editing /etc/login.defs and /etc/pam.d/system-auth, including setting maximum password age, minimum length, character class requirements, and preventing reuse of recent passwords, with practical sed commands and example configurations for CentOS 6 and 7.
Password Expiration on Linux
You can control password aging through the /etc/login.defs file. Set variables such as PASS_MAX_DAYS (maximum days a password may be used), PASS_MIN_DAYS (minimum days between changes), and PASS_WARN_AGE (days before expiration to warn the user).
sudo vi /etc/login.defs
PASS_MAX_DAYS 150
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# These settings require users to change passwords every 6 months and warn them 7 days in advance.Default values are PASS_MAX_DAYS 99999, PASS_MIN_DAYS 0, PASS_MIN_LEN 5, PASS_WARN_AGE 7. Recommended values are PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 6, PASS_WARN_AGE 7.
You can modify these settings with sed commands, for example:
sed -r -i 's/(PASS_MAX_DAYS)\s+([0-9]+)/\1 90/' /etc/login.defs– sets the maximum password age to 90 days.
sed -r -i 's/(PASS_MIN_LEN)\s+([0-9]+)/\1 13/' /etc/login.defs– changes the minimum password length to 13 characters.
Password Complexity Rules on Linux
Complexity requirements are enforced via the PAM configuration file /etc/pam.d/system-auth. On CentOS 6 the pam_cracklib.so module is used; on CentOS 7 the pam_pwquality.so module is preferred.
# Example for CentOS 6
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-2 lcredit=-4 dcredit=-1 ocredit=-1
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5Key parameters:
retry=3 – number of attempts allowed for login or password change failures. minlen=8 – minimum password length. ucredit=-2 – at least two uppercase letters required. lcredit=-4 – at least four lowercase letters required. dcredit=-1 – at least one digit required. ocredit=-1 – at least one special character required. remember=5 – prevents reuse of the last five passwords.
Additional options include difok=N (minimum number of different characters from the old password), minclass=N (minimum number of character classes), and others.
To forbid reuse of recent passwords, ensure the line containing pam_unix.so includes remember=5. Example:
sudo vi /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5To set a minimum length with class requirements, use:
sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10For a typical complexity policy on CentOS 7, edit the file to include:
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
# or
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_rootThese settings enforce a minimum length, require at least one uppercase letter, one lowercase letter, one digit, and one special character, and apply the policy to the root account as well.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.