password complexity policy in SLES

Hi all,
please can anyone help me in the below, i am new to Linux, i usually worked with Solaris.
I need to apply some kind of complexity on all users created (and that will be created) on my SLES server, the complexity should compromise the below:
1- The length of the password must be at least eight ( 08) characters; and should be a combination of alphanumeric and special characters. Users should not choose passwords that can be easily guessed , such as their names, the names of their spouses or parents, dictionary words, phone numbers, dates, or common words as aaabbb, qwerty, 1234, 1111 and the words derived from the name of the company
2- The history of passwords must be set at least ten (10).
3- The life of password must be set to ninety (90) days. A reminder should be sent to the user in (07) days before the expiration of the password. Account must be locked if password expired.
4- The systems must be configured to lock the user account if there was more than five (05 ) consecutive invalid login attempts. The user’s account must be locked for at least ten (10) minutes and can be unlocked automatically or manually by the administrator.

i have configured the above in solaris successfully, but i am lost in the large number of files that i should edit in OpenSUSE or SLES,
please your help is so much appreciated

Hi hyouness,

pam_cracklib is your friend (“man pam_cracklib”). You can activate it via YaST (“Security and users” - “Security Center and hardening” - “password settings”) and set dictionary checking, min password length (see the man page about the interpretation of “minlen” and credits!), the size of the password history and min/max password age.

Then have a look at /etc/pam.d/common-password, which is where the pam_cracklib statement is included - you can configure your additional requirements by adding the appropriate parameters.


thank you jmozdzen,
do you know exactly which parameter to add in /etc/pam.d/common-password to lock a user account when he provides a 5 consecutive login attempts?

Hi hyouness,

I have missed that its a different pam module for this: pam_tally, with the “deny” parameter. For this module as well, see “man pam_tally” for all available options.

With regards,