I needed to setup password policies on a few CentOS 4.4 machines last week. The password policy needed to define the minimum length of a password, the number of days a password is valid, the strength of a password, and a warning period to alert individuals that their password is about to expire. Expiration data for each user is stored in their entry in /etc/shadow, and is initially populated based on the password policies in /etc/logins.defs. Here is a list of password policies that I typically set in /etc/logins.defs:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 60
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 10
For accounts that were created without a password policy, the chage command can be used to create one. To enforce strong passwords, you need to add the pam module pam_cracklib.so to the password management group in /etc/pam.conf (or the applicable service definition in /etc/pam.d). Managing passwords is a pain, but it is one of the most important tasks in securing any server platform.