Quote:
Originally Posted by coppermine
1) really strong passwords. At least 10 chars with big and small letters + numbers. Any user who actively refuses to obey this, is excluded being possible to login from outside
|
I use pam_passwdqc to enforce strong passwords. It's in the base system (man pam_passwdqc).
I enable it by adding this line to /etc/pam.d/sshd (its the 3rd line, the others are already there)
Quote:
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password requisite pam_passwdqc.so enforce=everyone min=disabled,8,8,8,8
password required pam_unix.so no_warn try_first_pass
|
See the man page for the meaning of the options and more.
And in /etc/adduser.conf I set
Quote:
passwdtype=random
upwexpire=0-0-0
|
Then when I create a new user I get a random password (by default) I can give to him. And when the user first logs in with it, he must immediately change it since its expired (upwexpire). He can then only change it to a password that is strong enough according to the rules set with pam_passwdqc.