Q&A: Can I Configure Password Complexity for Machine Accounts?

Question:

Can I configure password complexity for machine accounts?

Environment

Password complexity for user passwords can be configured with the following variables:

root@ucs:~# ucr search --brief password/quality
kerberos/password/quality/check: yes
password/quality/credit/digits: <empty>
password/quality/credit/lower: <empty>
password/quality/credit/other: <empty>
password/quality/credit/upper: <empty>
password/quality/forbidden/chars: <empty>
password/quality/required/chars: <empty>

Answer:

Yes, this is possible.
By default, the machine account passwords do not follow the above policies and have to be configured additionally.
The server generates the password by default without special characters by using at least one capital letter and at least one digit with the length of 20.
Set the settings to match your needs:

root@ucs:~# machine/password/complexity=yncs
root@ucs:~# machine/password/length=40

This will generate random passwords (“s”) with a length of 40 characters and have at least one of:

  • capital letter (“c”)
  • digit (“n”)
  • special character (“y”)

See also: Trigger Password Change

Mastodon