Need to configure user password policy on Ubuntu 22.04 server

Question

We want to configure the following user password policy on our Ubuntu 22.04 server. I have referred to online documentation but have not found a consolidated guide that can help us implement the password policy on Ubuntu 22.04.

We followed the documentation to implement the steps on the server, but after applying the changes, users are either unable to access the server or the policy is not working as expected. Additionally, we installed the following package, but it did not work after making the necessary changes:

apt install libpam-pwquality

Adding more points.. We made changes to the /etc/pam.d/common-auth file. However, after these changes, users are unable to access the server remotely.

Password Composition = alphanumeric and at least one special character Minimum Password Length = 8 Minimum Password age = 1 Maximum Password age = 45 Password history = 5 Inactive timeout = maximum 15 minutes Account lockout after 3 invalid attempts

We installed the pam_pwquality module and made changes to the configuration file /etc/security/pwquality.conf for the password policy as per your given answer, but the password policy is not working as defined. apt install libpam-pwquality.

However, we found a workaround through libpam-cracklib. We installed this module and added the entry "password requisite pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root maxrepeat=0" in the /etc/pam.d/common-password file. This made our password policy work, but it did not work for the "Account lockout after 3 invalid attempts" policy.

For this password policy "Account lockout after 3 invalid attempts," we followed the below document and made changes to the file "/etc/pam.d/common-auth," but after making the changes, users were not able to log in to the server and were getting an "access denied" error.

I need my Ubuntu 22.04 Profiles to lock after 20 unsuccessful attempts for a duration of 15 minutes

Please check and suggest a consolidated solution to implement the mentioned password policy on Ubuntu 22.04. Also, let us know if any further information is required.

Answer 1

First, you should not use "online sources", you should use the pam_pwquality man page and the pam_faillock man page.

Second, /etc/pam.d/common-auth is probably not the best place to change these settings. It would probably be better to change them in /etc/security/pwquality.conf which has existing templates you can just uncomment and change the numbers.

Next, I believe you are confusing the functionality between these two pam modules. The module pam_pwquality does not affect login authentication at all. It won't lock out users. It only affects if the system will accept a new password when a user is changing it or if it will tell the user their selected password doesn't have enough complexity.

The pam_faillock module is what locks users out. Both the placement order in the pam config files and the options given in each location are critical. The options preauth authfail and authsucc must be used in the right combination in the right places so that correct and incorrect password attempts are correctly tallied and cleared as a user attempts to log in. Failure to get this combination right can cause the system to count every login attempt (including successful ones) as a failed password attempt, increasing the fail tally every time, which will lock users out with no way to clear it.

As you have not included your exact pam configurations here, I can't make a suggestion as to what to change.