LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Two password questions (http://www.linuxquestions.org/questions/linux-security-4/two-password-questions-876374/)

kaplan71 04-21-2011 01:15 PM

Two password questions
 
Hi there --

I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.

1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?

2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?

Thanks.

PrinceCruise 04-21-2011 01:41 PM

PAM can be used in this case.

vikas027 04-21-2011 01:44 PM

Quote:

Originally Posted by kaplan71 (Post 4331805)
Hi there --

I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.

1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?

2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?


Thanks.

For Point 1, you can have list of users policies in a "for" loop. This would be easy in my opinion. Rather, you can also have a same password policies for UID >= 500.
There is no point having a system wide policy for all users (including system users).

For Point 2, you can use PAM to achieve this. This link may help you out, else come back with errors.

kaplan71 04-21-2011 02:10 PM

Hi there --

Thanks for your reply. I read the article you suggested, and I had several follow-up question:

The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the
line syntax shown below:

Code:

password required pam_unix.so md5 remember=12 use_authtok
The system that I am working on, has a line similar to the above:

Code:

password sufficient pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Are these the same lines with slightly different syntax?

Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?

vikas027 04-22-2011 07:02 PM

password required pam_unix.so md5 remember=12 use_authtok
 
Quote:

Originally Posted by kaplan71 (Post 4331859)
Hi there --

Thanks for your reply. I read the article you suggested, and I had several follow-up question:

The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the
line syntax shown below:

Code:

password required pam_unix.so md5 remember=12 use_authtok
The system that I am working on, has a line similar to the above:

Code:

password sufficient pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Are these the same lines with slightly different syntax?

Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?

Sorry for the delay, I was keeping too busy with so many things around.

NO, these lines have two different meanings.

Take a look of the keywords required and sufficient.

When it is required -- The module result must be successful for authentication to continue.
and
when it is sufficient -- The module result is ignored if it fails.

Thus, if you want the user not to use previous password you can use code with required.

Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).

Hope, this helps.

kaplan71 04-22-2011 07:17 PM

Hi there --

Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-)

Anyway, I modified the line in question so it reads as follows:

Code:

password    required      pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?

Thanks.

vikas027 04-22-2011 08:18 PM

Quote:

Originally Posted by kaplan71 (Post 4333081)
Hi there --

Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-)

Anyway, I modified the line in question so it reads as follows:

Code:

password    required      pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?

Thanks.

No, a service restart is not required.

And I do not have much idea about update-cracklib and john the ripper utilities. I have not played with them.

By the way, I do not think you will feel the need to use those.

As far as I remember, pam_cracklib module checks the password against dictionary words. You can use it with required keyword. I think it will should work.

Keeping my fingers crossed.

jschiwal 04-22-2011 08:38 PM

About the password aging part of the question, the /etc/shadow file contains that information. All distro's will have an option whether to expire passwords. Your distro may have a config setting for password strength and number of passwords to store, without having to edit the pam config yourself. Either a security config or under users & groups.

See the shadow (5) man page for password aging info.

slimm609 04-23-2011 03:20 PM

Quote:

Originally Posted by vikas027 (Post 4333064)

Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).

the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max


So if a user reset his password 13 times in a day password number 1 and 13 can be the same. however if he changed his password once every 30 days then it would be 360 days before he could use the same password again.




the min and max days to reset a password are in /etc/login.defs

PASS_MAX_DAYS 60
PASS_MIN_DAYS 10
PASS_MIN_LEN 15
PASS_WARN_AGE 7

vikas027 04-23-2011 08:16 PM

Quote:

Originally Posted by slimm609 (Post 4333803)
the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max

"remember" field is combination of both number of passwords and "PASS_MIN_DAYS" field on /etc/login.defs

I forgot to explain this to the OP. Thanks for finding it.

See this link for your and OPs reference.

slimm609 04-23-2011 10:45 PM

Quote:

Originally Posted by vikas027 (Post 4333981)
"remember" field is combination of both number of passwords and "PASS_MIN_DAYS" field on /etc/login.defs

I forgot to explain this to the OP. Thanks for finding it.

See this link for your and OPs reference.

the link posted make it sound like they work together. However both are separate settings. remember is a simple the number of passwords kept in the opassword file in /etc/security. with both options set it has the site effect of setting the length of day before passwords can be reused.


example.


PASS_MIN_DAYS=7
PASS_MAX_DAYS=60

remember=10

so with these 3 setting combined the password can be
either 10*7=70 days if the passwords are reset every 7 days however is the person does not reset there password until the last day when they must change it then you now have 60*10=600 days before they can reuse a password. None of the options are a combination of any other options its just the fact that when working together because of each separate function it makes it seem like they are.


All times are GMT -5. The time now is 09:19 AM.