LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-21-2011, 12:15 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Rep: Reputation: 39
Two password questions


Hi there --

I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.

1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?

2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?

Thanks.
 
Old 04-21-2011, 12:41 PM   #2
PrinceCruise
Member
 
Registered: Aug 2009
Location: /Universe/Earth/India/Pune
Distribution: Slackware64 14.1/Current, CentOS 6.5/7.0
Posts: 739

Rep: Reputation: Disabled
PAM can be used in this case.
 
Old 04-21-2011, 12:44 PM   #3
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,266

Rep: Reputation: 99
Quote:
Originally Posted by kaplan71 View Post
Hi there --

I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.

1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?

2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?


Thanks.
For Point 1, you can have list of users policies in a "for" loop. This would be easy in my opinion. Rather, you can also have a same password policies for UID >= 500.
There is no point having a system wide policy for all users (including system users).

For Point 2, you can use PAM to achieve this. This link may help you out, else come back with errors.
 
Old 04-21-2011, 01:10 PM   #4
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for your reply. I read the article you suggested, and I had several follow-up question:

The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the
line syntax shown below:

Code:
password required pam_unix.so md5 remember=12 use_authtok
The system that I am working on, has a line similar to the above:

Code:
password sufficient pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Are these the same lines with slightly different syntax?

Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?
 
Old 04-22-2011, 06:02 PM   #5
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,266

Rep: Reputation: 99
Lightbulb password required pam_unix.so md5 remember=12 use_authtok

Quote:
Originally Posted by kaplan71 View Post
Hi there --

Thanks for your reply. I read the article you suggested, and I had several follow-up question:

The article made mention of adding the remember=x to the pam_unix line of the system-auth file. The article references the
line syntax shown below:

Code:
password required pam_unix.so md5 remember=12 use_authtok
The system that I am working on, has a line similar to the above:

Code:
password sufficient pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Are these the same lines with slightly different syntax?

Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?
Sorry for the delay, I was keeping too busy with so many things around.

NO, these lines have two different meanings.

Take a look of the keywords required and sufficient.

When it is required -- The module result must be successful for authentication to continue.
and
when it is sufficient -- The module result is ignored if it fails.

Thus, if you want the user not to use previous password you can use code with required.

Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).

Hope, this helps.
 
Old 04-22-2011, 06:17 PM   #6
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-)

Anyway, I modified the line in question so it reads as follows:

Code:
password    required      pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?

Thanks.
 
Old 04-22-2011, 07:18 PM   #7
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,266

Rep: Reputation: 99
Thumbs up

Quote:
Originally Posted by kaplan71 View Post
Hi there --

Thanks for the follow-up, and you have my sympathy about being busy...been there done that. ;-)

Anyway, I modified the line in question so it reads as follows:

Code:
password    required      pam_unix.so md5 remember=12 shadow nullok try_first_pass use_authtok
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?

Thanks.
No, a service restart is not required.

And I do not have much idea about update-cracklib and john the ripper utilities. I have not played with them.

By the way, I do not think you will feel the need to use those.

As far as I remember, pam_cracklib module checks the password against dictionary words. You can use it with required keyword. I think it will should work.

Keeping my fingers crossed.
 
Old 04-22-2011, 07:38 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
About the password aging part of the question, the /etc/shadow file contains that information. All distro's will have an option whether to expire passwords. Your distro may have a config setting for password strength and number of passwords to store, without having to edit the pam config yourself. Either a security config or under users & groups.

See the shadow (5) man page for password aging info.
 
Old 04-23-2011, 02:20 PM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by vikas027 View Post

Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).
the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max


So if a user reset his password 13 times in a day password number 1 and 13 can be the same. however if he changed his password once every 30 days then it would be 360 days before he could use the same password again.




the min and max days to reset a password are in /etc/login.defs

PASS_MAX_DAYS 60
PASS_MIN_DAYS 10
PASS_MIN_LEN 15
PASS_WARN_AGE 7

Last edited by slimm609; 04-23-2011 at 02:24 PM.
 
1 members found this post helpful.
Old 04-23-2011, 07:16 PM   #10
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Debian, OS X
Posts: 1,266

Rep: Reputation: 99
Quote:
Originally Posted by slimm609 View Post
the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max
"remember" field is combination of both number of passwords and "PASS_MIN_DAYS" field on /etc/login.defs

I forgot to explain this to the OP. Thanks for finding it.

See this link for your and OPs reference.
 
Old 04-23-2011, 09:45 PM   #11
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by vikas027 View Post
"remember" field is combination of both number of passwords and "PASS_MIN_DAYS" field on /etc/login.defs

I forgot to explain this to the OP. Thanks for finding it.

See this link for your and OPs reference.
the link posted make it sound like they work together. However both are separate settings. remember is a simple the number of passwords kept in the opassword file in /etc/security. with both options set it has the site effect of setting the length of day before passwords can be reused.


example.


PASS_MIN_DAYS=7
PASS_MAX_DAYS=60

remember=10

so with these 3 setting combined the password can be
either 10*7=70 days if the passwords are reset every 7 days however is the person does not reset there password until the last day when they must change it then you now have 60*10=600 days before they can reuse a password. None of the options are a combination of any other options its just the fact that when working together because of each separate function it makes it seem like they are.
 
  


Reply

Tags
pam, password


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Installed newest Ubuntu setting a weak password. Changed password now buggered? lugoteehalt Ubuntu 1 05-29-2010 09:51 PM
PAM LDAP authentication password policy questions codeape Linux - Security 0 08-26-2008 02:10 AM
Some Newb Questions (discs dont work, Kopete - incorrect password) a_r_cook Mandriva 3 07-23-2005 10:14 PM
lost root password questionS eddacker Linux - Security 9 11-11-2003 06:40 PM
Allright, changed root password and questions about adding users RIOMX Linux - Newbie 2 10-30-2003 03:28 PM


All times are GMT -5. The time now is 03:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration