In RHEL3 (and probably others *nix’s), /etc/login.defs contains default settings for user password aging (how long before it must be changed), and expiration – amongst other things. Here is an expample:

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 180
PASS_MIN_DAYS 7
PASS_MIN_LEN 5
PASS_WARN_AGE 10

Strangely, PASS_MIN_LEN is not used, as it is overriden by what you set minlen= to for the cracklib PAM module.
These settings say:

passwords expire after 180 days
a password must be used for at least 7 days before it can be changed again
10 days before your password will expire, you will receive a notice. The notice will pop-up in a gdm window, or at the command prompt from a virtual terminal.

These settings apply to new user accounts created with adduser, and can be viewed by using the chage -l username command.

Another trick you can do with PAM is force your users to use complex passwords. This example sets a minimum password legnth of 8 characters composed of at least 1 digit, 1 uppercase, 1 lowercase, and 1 non-alphanumeric character:

password required /lib/security/$ISA/pam_cracklib.so
retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8

The retry means you get 3 chances to make a new password that complies to your rule until it gives up on you. Note also minlen=8 which sets the minimum password length to 8 characters.

Stuff that in your /etc/pam.d/system-auth. See my other post on how to expire a users password and make them comply to your new rule.

The PAM module pam_tally can be used to track the number of times a user enters a bad password and lock out their account after a specified number of attempts. The lock can be indefinite, or can reset itself after a period of time.

This example is from the system-auth file in /etc/pam.d on a RedHat Enterprise Linux machine:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

# Enables failed login counts (section 1 of 2)
auth required /lib/security/$ISA/pam_tally.so
onerr=fail no_magic_root
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

# Enables failed login counts (section 2 of 2)
account required /lib/security/$ISA/pam_tally.so
deny=5 reset no_magic_root

password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Note in the example the module is referenced twice. Once in the auth part, and again in the account part. If you care about the details, read up on PAM. Otherwise just note it will lock out any user except root after 5 bad password attempts forever. If a user successfully logs in the counter is reset, e.g. 4 bad attempts and the 5th is successful, the tally counter is reset to 0. To view and unlock accounts, use the command pam_tally. By itself, pam_tally will show a username and the number of failed password attempts.

To unlock an account, do:

pam_tally –user username –reset

Seem like a simple thing to do, right? Create a user account, set an initial password, then force that user to enter a new password the first time they log in. Well it used to be easy, just use passwd -e to *expire* that users password. But someone decided that was too simple, so this functionality was moved to chage. Heres a breakdown of how to create a new user account with an initial password that expires the first time its used:

useradd username
passwd username
chage -d 0 username

Seems strange that several functions in passwd overlap with functions in chage, but expire was removed from passwd altogether.

Kind of like remote desktop for a cli:

Logged on user runs: screen

You connect and run: screen -x

Watch!

This is the site I recommend to anyone that wants to lean how to become proficient using the Bash shell.