000017152 - How to change the OS user password policies on the DPM appliance?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017152
Applies ToRSA Data Protection Manager appliance
IssueHow to change the OS user password policies on the DPM appliance?
DPM appliance OS users do not meet password policies
ResolutionExample to change the minimum and maximum password ages for root, cliadmin and ftpuser, so that user must change password every 60 days, with 3 days of warning:
1. Login as root
2. Enter the following:
chage -m 0 -M 60 -W 3 root
chage -m 0 -M 60 -W 3 cliadmin
chage -m 0 -M 60 -W 3 ftpuser
Modify password and account policies
1. Login as root
2. Modify the system-auth file to match changes in bold below:
vi /etc/pam.d/system-auth

auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5 even_deny_root_account
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_tally.so reset
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=5
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so


To remove the password expiration policy, you can use the interactive mode of chage as follow. Use -1 for "Undefined"

key:~ # chage cliadmin
Changing aging information for cliadmin.
Minimum Password Age [1]: -1
Maximum Password Age [90]: -1
Password Expiration Warning [14]: -1
Password Inactive [-1]: -1
Last Password Change (YYYY-MM-DD) [2013-08-12]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Aging information changed.

Notesnote that the only way unlock the locked account is to use:
pam_tally --reset=0 --user cliadmin
Legacy Article IDa61692