LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-16-2013, 02:30 PM   #1
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Rep: Reputation: 0
Password Policy


I have been working on customizing the password policy on CentOS. I know most of what I want to set can be done in the file /etc/pam.d/system-auth, which I have successfully augmented. However, in testing I found that very little information is displayed when insufficient password are entered. For example, when the new password entered does not have a non-alpha-numeric character it simply returns "Bad Password: is too simple."


How can I get passwd to display the password policy or at least make it easier to understand what kind of password is acceptable? Thanks.
 
Old 04-16-2013, 02:40 PM   #2
Nbiser
Member
 
Registered: Oct 2012
Location: Maryland
Distribution: Fedora, Slackware, Debian, Ubuntu, Knoppix, Helix,
Posts: 290
Blog Entries: 7

Rep: Reputation: 43
Are you using a script to accomplish this?
 
Old 04-16-2013, 03:21 PM   #3
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Nbiser View Post
Are you using a script to accomplish this?
This link describes what I am doing.

http://www.puschitz.com/SecuringLinu...ongerPasswords

I am just adding flags to the pam-cracklib.so module.
 
Old 04-16-2013, 03:33 PM   #4
Nbiser
Member
 
Registered: Oct 2012
Location: Maryland
Distribution: Fedora, Slackware, Debian, Ubuntu, Knoppix, Helix,
Posts: 290
Blog Entries: 7

Rep: Reputation: 43
Quote:
Originally Posted by Obscurious View Post
This link describes what I am doing.

http://www.puschitz.com/SecuringLinu...ongerPasswords

I am just adding flags to the pam-cracklib.so module.
mmmmmmh......... in that case I'm afraid I won't be able help you. However, I'm sure that there is someone else here on the forums that will.

I wish you success!!
 
Old 04-16-2013, 07:10 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
The reason it does that is for security; you should give away the minimum info (preferably none) to a possible attacker.
Traditionally for login, it only supplies an error after both(!) username & passwd have been supplied, and often it just says 'Invalid Login' so that you don't know if the username or passwd was wrong (or both).

If you DO want to publish the passwd requirements, you could use the banner or issue file, but normally users are only told at registration, either via a separate path, or on the registration page.
See also 'lost passwd' procedures.

You could use pam_exec to call your own program I suppose.
 
Old 04-17-2013, 01:19 PM   #6
Obscurious
LQ Newbie
 
Registered: Jun 2009
Distribution: Debian, RHEL, FreeBSD
Posts: 17

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
The reason it does that is for security; you should give away the minimum info (preferably none) to a possible attacker.
Traditionally for login, it only supplies an error after both(!) username & passwd have been supplied, and often it just says 'Invalid Login' so that you don't know if the username or passwd was wrong (or both).

If you DO want to publish the passwd requirements, you could use the banner or issue file, but normally users are only told at registration, either via a separate path, or on the registration page.
See also 'lost passwd' procedures.

You could use pam_exec to call your own program I suppose.
Thank you for your response. To be more clear, I want to show the password policy when a user is changing or setting their password. At the moment, if a user is updating their password it does not supply enough information to understand why the new password is not accepted. I can foresee users being unable to set their password if my policy is decently complex because it does not state what criteria was not met , it simply says "Bad Pass".
 
Old 04-17-2013, 08:55 PM   #7
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
The problem is there's no way for the system to know its a legit user trying to change their passwd vs a cracker just guessing.

This is why its often done OOB (Out Of Bounds) eg via email when their initial acct is setup for them, or just displayed on an intranet Wiki.

Ok here's how to create+show pre-login banners for term sessions and for ssh logins
http://www.cyberciti.biz/faq/howto-c...login-message/
http://www.cyberciti.biz/tips/change...in-banner.html

If you want to only show a msg IF they fail, I think you'll need to customise the use of pam_unix, but its not evident to me how to do that.

I think you should consider asking the Mods (via the Report button) to move this to the Security forum.
I'm curious about the soln myself now ...

Last edited by chrism01; 04-17-2013 at 09:25 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure my Redhat directory server password policy and account lockout policy arunplanet Linux - Newbie 4 10-06-2012 09:59 AM
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 04:30 PM
Password policy chetan_linux Linux - Security 2 02-14-2010 03:42 AM
Password policy Bharat Kumar pankaj Linux - Server 1 08-17-2008 02:47 AM


All times are GMT -5. The time now is 04:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration