Two password questions
Hi there --
I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system. 1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide? 2. How can I establish a history of user passwords to prevent similar passwords being used so frequently? Thanks. |
PAM can be used in this case.
|
Quote:
There is no point having a system wide policy for all users (including system users). For Point 2, you can use PAM to achieve this. This link may help you out, else come back with errors. |
Hi there --
Thanks for your reply. I read the article you suggested, and I had several follow-up question: The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the line syntax shown below: Code:
password required pam_unix.so md5 remember=12 use_authtok Code:
password sufficient pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative? |
password required pam_unix.so md5 remember=12 use_authtok
Quote:
NO, these lines have two different meanings. Take a look of the keywords required and sufficient. When it is required -- The module result must be successful for authentication to continue. and when it is sufficient -- The module result is ignored if it fails. Thus, if you want the user not to use previous password you can use code with required. Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days). Hope, this helps. |
Hi there --
Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-) Anyway, I modified the line in question so it reads as follows: Code:
password required pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for the CentOS distro, and if not, will the latter be a good substitute? Thanks. |
Quote:
And I do not have much idea about update-cracklib and john the ripper utilities. I have not played with them. By the way, I do not think you will feel the need to use those. As far as I remember, pam_cracklib module checks the password against dictionary words. You can use it with required keyword. I think it will should work. Keeping my fingers crossed. |
About the password aging part of the question, the /etc/shadow file contains that information. All distro's will have an option whether to expire passwords. Your distro may have a config setting for password strength and number of passwords to store, without having to edit the pam config yourself. Either a security config or under users & groups.
See the shadow (5) man page for password aging info. |
Quote:
So if a user reset his password 13 times in a day password number 1 and 13 can be the same. however if he changed his password once every 30 days then it would be 360 days before he could use the same password again. the min and max days to reset a password are in /etc/login.defs PASS_MAX_DAYS 60 PASS_MIN_DAYS 10 PASS_MIN_LEN 15 PASS_WARN_AGE 7 |
Quote:
I forgot to explain this to the OP. Thanks for finding it. See this link for your and OPs reference. |
Quote:
example. PASS_MIN_DAYS=7 PASS_MAX_DAYS=60 remember=10 so with these 3 setting combined the password can be either 10*7=70 days if the passwords are reset every 7 days however is the person does not reset there password until the last day when they must change it then you now have 60*10=600 days before they can reuse a password. None of the options are a combination of any other options its just the fact that when working together because of each separate function it makes it seem like they are. |
All times are GMT -5. The time now is 12:20 AM. |