LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Securing Passwords (https://www.linuxquestions.org/questions/linux-enterprise-47/securing-passwords-648569/)

mkono 06-11-2008 10:15 AM
Securing Passwords
 
Hi All,

I'd like to give you an example of what I am trying to achieve and perhaps you might be able to help me along.

I would like to add the following criteria to new servers, from a password aging and lockout standpoint.

-Number of failed logins before lockout: = 5
-Number of Passwords before reuse: = 12
-Password MAX age: = 6
-Password Min. Length: = 6
-Password Min. Other Characters: = 1

I know I can use the chage command to set most of these changes on a single user basis. Is there a way to set these globally for users?

Thanks,
mkono

zQUEz 06-12-2008 06:38 AM
I use pam to achieve most of what you have asked for as follows:
file: /etc/pam.d/system-auth

The account section:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so

(that is 3 lines with no wrapping)
"minlen=8" --> 8 characters minimum (you can change as needed)
"remember=12" --> remembers the last 12 passwords and they can't be reused
"lcredit=-1" --> sets minimum number of lower characters to 1
"ucredit=-1" --> sets minimum numbers of upper characters to 1
"dcredit=-1" --> sets minimum number of digits to 1

file: /etc/login.defs
PASS_MAX_DAYS 120
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

These are self explainatory, though the "PASS_MIN_LEN" is superceded by the "minlen" in system-auth above. Also, making these changes won't affect existing users in terms of password expiry as their /etc/shadow entries have already been set. I believe if you made these changes, then forced users to reset their passwords, then they would fall under these restrictions - you would have to test this.

This is all on a Red Hat/Fedora based system but I gather pam is standard across the board.

I don't have the "lock accounts after failed logins", but this post appears to have the answer on that: http://www.linuxquestions.org/questi...-rhel5-624257/

mkono 06-12-2008 10:27 AM
zQUEz,
Many thanks for the response. Sounds pretty straight forward. I do have a quick question. I navigate to my /etc/pam.d directory and find a TON of different files, do I have to be concerned with any of those other files or just the system-auth file?
Here is a copy of my current system-auth file; any ideas as to where and how to configure this to incorporate your suggested settings?

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so





Quote:
Originally Posted by zQUEz (Post 3182458)
I use pam to achieve most of what you have asked for as follows:
file: /etc/pam.d/system-auth

The account section:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so

(that is 3 lines with no wrapping)
"minlen=8" --> 8 characters minimum (you can change as needed)
"remember=12" --> remembers the last 12 passwords and they can't be reused
"lcredit=-1" --> sets minimum number of lower characters to 1
"ucredit=-1" --> sets minimum numbers of upper characters to 1
"dcredit=-1" --> sets minimum number of digits to 1

file: /etc/login.defs
PASS_MAX_DAYS 120
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

These are self explainatory, though the "PASS_MIN_LEN" is superceded by the "minlen" in system-auth above. Also, making these changes won't affect existing users in terms of password expiry as their /etc/shadow entries have already been set. I believe if you made these changes, then forced users to reset their passwords, then they would fall under these restrictions - you would have to test this.

This is all on a Red Hat/Fedora based system but I gather pam is standard across the board.

I don't have the "lock accounts after failed logins", but this post appears to have the answer on that: http://www.linuxquestions.org/questi...-rhel5-624257/

zQUEz 06-13-2008 05:18 AM
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)

mkono 06-13-2008 08:35 AM
zQUEz,
Great stuff man, many thanks for all the assistance! I actually decided to make the changes on a test box first ;)

Your instructions were precise and thorough, probably the best assistance I have received on this site. I have not had any problems logging into the test box since making the changes, and I have successfully logged in as both root and a typical user.

Take a peak, at my gateway issue if you can, you sound like you know what you're talking about and I have yet to receive any helpful results from my post... Would appreciate any assistance you might be able to lend on that issue.

56 views and not one response yet...

Title is "Gateway"

Thanks again zQUEz, much respect.

Quote:
Originally Posted by zQUEz (Post 3183480)
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)

BSTU.UOK 06-17-2008 06:13 PM
great...............

akvino 06-20-2008 12:30 PM
Quote:
Originally Posted by zQUEz (Post 3183480)
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)
I got to tell you - very good reply. I actually learned something just by reading it...

Keep it up man!


All times are GMT -5. The time now is 08:21 PM.