Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.
1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?
2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?
I had two questions concerning passwords. The distribution in this case is the CentOS 5.6 64-bit operating system.
1. Is there a way to establish a system-wide password aging policy? I know that chage can be used to manage user accounts on an individual basis, but is there a similar command available system-wide?
2. How can I establish a history of user passwords to prevent similar passwords being used so frequently?
Thanks.
For Point 1, you can have list of users policies in a "for" loop. This would be easy in my opinion. Rather, you can also have a same password policies for UID >= 500.
There is no point having a system wide policy for all users (including system users).
For Point 2, you can use PAM to achieve this. This link may help you out, else come back with errors.
Are these the same lines with slightly different syntax?
Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?
Are these the same lines with slightly different syntax?
Also, the article made mention the update-cracklib utility, for dictionary checks, is not available for RedHat-based distributions. I wanted to know if that was still true, and if so, would an application like John the Ripper be a viable alternative?
Sorry for the delay, I was keeping too busy with so many things around.
NO, these lines have two different meanings.
Take a look of the keywords required and sufficient.
When it is required -- The module result must be successful for authentication to continue.
and
when it is sufficient -- The module result is ignored if it fails.
Thus, if you want the user not to use previous password you can use code with required.
Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?
Once the change is made, do I need to restart the pam daemon in order for the change to go into effect?
Also, as far as the update-cracklib and john the ripper utilities are concerned, is the former available for
the CentOS distro, and if not, will the latter be a good substitute?
Thanks.
No, a service restart is not required.
And I do not have much idea about update-cracklib and john the ripper utilities. I have not played with them.
By the way, I do not think you will feel the need to use those.
As far as I remember, pam_cracklib module checks the password against dictionary words. You can use it with required keyword. I think it will should work.
About the password aging part of the question, the /etc/shadow file contains that information. All distro's will have an option whether to expire passwords. Your distro may have a config setting for password strength and number of passwords to store, without having to edit the pam config yourself. Either a security config or under users & groups.
See the shadow (5) man page for password aging info.
Here, remember=12 means that passwords cannot be reused for at least 84 days (12*7 days).
the Remember option is not based on days. its based on the number of passwords to remember. other options control the number of days min and max
So if a user reset his password 13 times in a day password number 1 and 13 can be the same. however if he changed his password once every 30 days then it would be 360 days before he could use the same password again.
the min and max days to reset a password are in /etc/login.defs
the link posted make it sound like they work together. However both are separate settings. remember is a simple the number of passwords kept in the opassword file in /etc/security. with both options set it has the site effect of setting the length of day before passwords can be reused.
example.
PASS_MIN_DAYS=7
PASS_MAX_DAYS=60
remember=10
so with these 3 setting combined the password can be
either 10*7=70 days if the passwords are reset every 7 days however is the person does not reset there password until the last day when they must change it then you now have 60*10=600 days before they can reuse a password. None of the options are a combination of any other options its just the fact that when working together because of each separate function it makes it seem like they are.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
password required pam_unix.so md5 remember=12 use_authtok
