LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 06-01-2004, 06:55 AM   #1
Nick Pontelando
LQ Newbie
 
Registered: May 2004
Location: Waterbury, CT
Posts: 4

Rep: Reputation: 0
password policy


Hello,

Trying to setup/enforce a password policy.

Want to require users to enter an 8 character password with 1 numeric and 1 special character, 90 day expiration, 120 day inactivity, 3 try lockout.

Have looked at PAM in an attempt to setup some of the initial password requirements (8 char, 1 digit, 1 special) but can't seem to get any of it working. Tried making changes to /etc/pam.d/passwd and /etc/pam.d/system-auth using cracklib with the various credit parameters as specified in the PAM documentation but can't seem to get it to work.

Also can't seem to find thorough documentation on the xcredit parameters, or for system-auth.

Any suggestions/pointers would be appreciated.

Thanks
 
Old 06-01-2004, 07:23 AM   #2
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
what does PAM have to do with password security? , maybe you could write a script that people could use to make there passwords with, or modify the program that sets the passwords to check for you requirements
 
Old 06-01-2004, 07:35 AM   #3
Nick Pontelando
LQ Newbie
 
Registered: May 2004
Location: Waterbury, CT
Posts: 4

Original Poster
Rep: Reputation: 0
I believe PAM is documented to provide services regarding the password itself. I tried adding the following line to /etc/pam.d/password and /etc/pam.d/system-auth...

password required /lib/security/pam_cracklib.so dcredit=-1 ocredit=-1 minlen=8

This is supposed to require a password with at least 1 digit and 1 "other" character, with a minimum length of 8 characters - if I am reading the documentation correctly.
 
Old 06-01-2004, 02:21 PM   #4
todw1fd
LQ Newbie
 
Registered: May 2004
Location: Pennsylvania
Posts: 2

Rep: Reputation: 0
Trying to do the same think with RH Enterprise 3 and having about the same amount of success trying to configure the system-auth file. I too would love some help. While I don't mind working at the command line, I would have thought that RH might have made this a bit easier all things considered.
 
Old 06-02-2004, 06:26 AM   #5
Nick Pontelando
LQ Newbie
 
Registered: May 2004
Location: Waterbury, CT
Posts: 4

Original Poster
Rep: Reputation: 0
I think some of this is done through the shadow file. If you use X and go to System Settings=>Users and Groups=>select a user=>Password Info you will see some entrys for password aging. Changing this GUI modifies the /etc/shadow file. I would like to know if there is a command line utility to do this, or if it is considered good practice to modify /etc/shadow using vi or some other editor. But this only effects password aging and not password content.
 
Old 06-02-2004, 11:09 AM   #6
Mathieu
Senior Member
 
Registered: Feb 2001
Location: Montreal, Quebec, Canada
Distribution: RedHat, Fedora, CentOS, SUSE
Posts: 1,403

Rep: Reputation: 46
To make modifications to the /etc/shadow file, you can use the usermod command.
Eventhough you are allowed to modify the shadow file manually, I encourage you to use the usermod command.

In order to implement all the above mentioned login rules for new users, you will need to modify the /etc/login.defs file.

Also, the /etc/skel/ directory contains default configuration files which will be copied to a new users HOME directory.
And if you want to add login scripts or other custom configuration settings which will be applied to all users at log-on, you can add them to the /etc/profile.local file.

Last edited by Mathieu; 06-02-2004 at 11:10 AM.
 
Old 06-02-2004, 01:20 PM   #7
Nick Pontelando
LQ Newbie
 
Registered: May 2004
Location: Waterbury, CT
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks Mathieu.

Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?
 
Old 06-03-2004, 11:53 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Anyone out there doing anything about repetitive login attempts/failures beyond watching a log or delaying the ability to make subsequent login attempts?
Could block 'em off using pam_tally.
 
Old 08-15-2012, 09:07 AM   #9
lmcdrra
LQ Newbie
 
Registered: Aug 2012
Posts: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by Nick Pontelando View Post
I believe PAM is documented to provide services regarding the password itself. I tried adding the following line to /etc/pam.d/password and /etc/pam.d/system-auth...

password required /lib/security/pam_cracklib.so dcredit=-1 ocredit=-1 minlen=8

This is supposed to require a password with at least 1 digit and 1 "other" character, with a minimum length of 8 characters - if I am reading the documentation correctly.
I think you are not reading documentation correctly. minlen is minimal numbe of credits. It is also not sure what do you mean by "not working".. does system accepts passworsd that it should not? Or your aparently valid passowrd is rejected?
 
Old 08-15-2012, 09:50 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Necroposting, the practice of responding to a thread that died a long time ago, is in this case not that useful. As the OP left several years ago. Please choose where you post carefully. Thread closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 03:30 PM
Samba System Policy, Default User Policy scooter549 Linux - General 2 02-24-2009 02:23 AM
Password Expiration Policy bspicer Linux - General 7 05-12-2007 03:26 AM
Implementing password policy ddaas Linux - Security 3 12-31-2004 02:02 PM
Linux Password Policy MaverickApollo Linux - Security 2 02-07-2004 06:49 AM


All times are GMT -5. The time now is 11:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration