Password policies

[EndruK]

Hi, my company is enforcing password policies and I can't get my head around how I can solve this. I'm running manjaro linux and already tried to update PAM policies to follow the rules but I still get no compliance issues for passwords.

What I did: change /etc/pam.d/system-auth from

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

to

-password  [success=1 default=ignore]  pam_systemd_home.so
password   requisite                   pam_pwquality        minlen=10 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

The flaws I have are:

• This device must be configured to enforce passwords containing at least 2 uppercase characters
• This device must be configured to enforce passwords containing at least 1 symbols
• This device must be configured to enforce passwords containing at least 10 characters
• This device must be configured to enforce passwords containing at least 2 digits
• Your device's storage media must be encrypted. Encrypt your storage media using the tool or method of your choice
• Upgrade to one of the supported distributions to access your organization's resources

Also, it seems that /etc/os-release is not checked by intune since it holds the ubuntu details.

What am I missing?

Edit: It seems that the password policies work on system level - pwscore checks for the configured password policies im pam.

[recolic]

Hi @EndruK does your company provide a official Ubuntu Linux enrollment guide? The official guide will tell you how to set your password policy file. Please make sure you follow the official guide (except using my package).

As an example, my company is checking /etc/pam.d/common-password, not system-auth.

---

For your Your device's storage media must be encrypted problem, did you do full disk encryption? As an example, my company want you to use LVM + full disk encryption.

---

And... if you are trying to do "level-2 enroll" on your Manjaro Linux / Arch Linux, it's not supported by this project. Someone else tried and succeeded, but I never tried it.

[jacqinthebox]

Hi @EndruK, To confirm, I just created the file /etc/pam.d/common-password and added password required pam_pwquality.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=12

Instead of adding the line to system-auth, refreshed intune-portal and now I am compliant.

I'm on a fresh Arch install but I assume Manjaro is the same.

[EndruK]

Hi @EndruK, To confirm, I just created the file /etc/pam.d/common-password and added password required pam_pwquality.so retry=3 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1 minlen=12

Instead of adding the line to system-auth, refreshed intune-portal and now I am compliant.

I'm on a fresh Arch install but I assume Manjaro is the same.

Nice thanks for the tip, that worked :)