Thanks Tomas! Perfect example. Sent from my iPad > On 23 Feb 2017, at 9:21 PM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote: > >> On Thu, 2017-02-23 at 05:53 +0000, Juha A. wrote: >> Hi, >> >> >> I would need to configure different password policy based on the >> users UID. >> >> For example: >> >> - UID 1000-1999: Minimum Password Length = 15, 3 different character >> classes >> >> - UID 2000-2999: Minimum Password Length = 20, 4 different character >> classes >> >> >> The /etc/security/pwquality.conf does not seem to have a way to >> configure different rules based on UID, but I was also unable to get >> system-auth/password-auth to work properly. >> >> >> Would anyone have advice on how to achieve the above? > > > You could configure the PAM stack so that there would be two > pam_pwquality lines with different options and skip over them with > pam_succeed_if modules and jumps. > > something like this: (untested, just for inspiration) > > password [success=2 default=ignore] pam_succeed_if.so uid >= 2000 > password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= minlen=15 minclass=3 > password [success=1 default=ignore] pam_permit.so > password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= minlen=20 minclass=4 > > -- > Tomas Mraz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > (You'll never know whether the road is wrong though.) > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
