Password Policy

---

Minimum Password Length

Ubuntu requires a minimum password length of 6 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password.

password        [success=1 default=ignore]      pam_unix.so obscure sha512

If we want to change the password length, then make the following modifications:

password        [success=1 default=ignore]      pam_unix.so obscure sha512 **minlen=8**

Password Expiration

To easily view the current status of a user account, use the following syntax:

sudo chage -l <username>

The output look like this :
Last password change                                    : Jan 20, 2015
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

To set any of these values, simply use the following syntax, and follow the interactive prompts:

sudo chage <username>

---

SSH Access by Disabled Users

They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access, e.g. /home/username/.ssh/authorized_keys.

who | grep username  (to get the pts/# terminal)
sudo pkill -f pts/#

Restrict SSH access

Restrict SSH access to only user accounts that should have it. For example, you may create a group called “sshlogin” and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config.

AllowGroups sshlogin

---