Two password questions
 

Hi there --

I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.

1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?

2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?

Thanks.

PAM can be used in this case.

For Point 1, you can have list of users policies in a "for" loop. This would be easy in my opinion. Rather, you can also have a same password policies for UID >= 500.
There is no point having a system wide policy for all users (including system users).

For Point 2, you can use PAM to achieve this. This link may help you out, else come back with errors.

Hi there --

Thanks for your reply. I read the article you suggested, and I had several follow-up question:

The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the
line syntax shown below:

The system that I am working on, has a line similar to the above:

Are these the same lines with slightly different syntax?

Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?

password required pam_unix.so md5 remember=12 use_authtok
 

Sorry for the delay, I was keeping too busy with so many things around.

NO, these lines have two different meanings.

Take a look of the keywords required and sufficient.

When it is required -- The module result must be successful for authentication to continue.
and
when it is sufficient -- The module result is ignored if it fails.

Thus, if you want the user not to use previous password you can use code with required.

Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).

Hope, this helps.

Hi there --

Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-)

Anyway, I modified the line in question so it reads as follows:

Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?

Thanks.

No, a service restart is not required.

And I do not have much idea about update-cracklib and john the ripper utilities. I have not played with them.

By the way, I do not think you will feel the need to use those.

As far as I remember, pam_cracklib module checks the password against dictionary words. You can use it with required keyword. I think it will should work.

Keeping my fingers crossed.

About the password aging part of the question, the /etc/shadow file contains that information. All distro's will have an option whether to expire passwords. Your distro may have a config setting for password strength and number of passwords to store, without having to edit the pam config yourself. Either a security config or under users & groups.

See the shadow (5) man page for password aging info.

the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max


So if a user reset his password 13 times in a day password number 1 and 13 can be the same. however if he changed his password once every 30 days then it would be 360 days before he could use the same password again.




the min and max days to reset a password are in /etc/login.defs

PASS_MAX_DAYS 60
PASS_MIN_DAYS 10
PASS_MIN_LEN 15
PASS_WARN_AGE 7

"remember" field is combination of both number of passwords and "PASS_MIN_DAYS" field on /etc/login.defs

I forgot to explain this to the OP. Thanks for finding it.

See this link for your and OPs reference.

the link posted make it sound like they work together. However both are separate settings. remember is a simple the number of passwords kept in the opassword file in /etc/security. with both options set it has the site effect of setting the length of day before passwords can be reused.


example.


PASS_MIN_DAYS=7
PASS_MAX_DAYS=60

remember=10

so with these 3 setting combined the password can be
either 10*7=70 days if the passwords are reset every 7 days however is the person does not reset there password until the last day when they must change it then you now have 60*10=600 days before they can reuse a password. None of the options are a combination of any other options its just the fact that when working together because of each separate function it makes it seem like they are.