LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 06-11-2008, 11:15 AM   #1
mkono
Member
 
Registered: May 2008
Posts: 50

Rep: Reputation: 16
Securing Passwords


Hi All,

I'd like to give you an example of what I am trying to achieve and perhaps you might be able to help me along.

I would like to add the following criteria to new servers, from a password aging and lockout standpoint.

-Number of failed logins before lockout: = 5
-Number of Passwords before reuse: = 12
-Password MAX age: = 6
-Password Min. Length: = 6
-Password Min. Other Characters: = 1

I know I can use the chage command to set most of these changes on a single user basis. Is there a way to set these globally for users?

Thanks,
mkono
 
Old 06-12-2008, 07:38 AM   #2
zQUEz
Member
 
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294

Rep: Reputation: 54
I use pam to achieve most of what you have asked for as follows:
file: /etc/pam.d/system-auth

The account section:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so

(that is 3 lines with no wrapping)
"minlen=8" --> 8 characters minimum (you can change as needed)
"remember=12" --> remembers the last 12 passwords and they can't be reused
"lcredit=-1" --> sets minimum number of lower characters to 1
"ucredit=-1" --> sets minimum numbers of upper characters to 1
"dcredit=-1" --> sets minimum number of digits to 1

file: /etc/login.defs
PASS_MAX_DAYS 120
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

These are self explainatory, though the "PASS_MIN_LEN" is superceded by the "minlen" in system-auth above. Also, making these changes won't affect existing users in terms of password expiry as their /etc/shadow entries have already been set. I believe if you made these changes, then forced users to reset their passwords, then they would fall under these restrictions - you would have to test this.

This is all on a Red Hat/Fedora based system but I gather pam is standard across the board.

I don't have the "lock accounts after failed logins", but this post appears to have the answer on that: http://www.linuxquestions.org/questi...-rhel5-624257/

Last edited by zQUEz; 06-12-2008 at 07:44 AM.
 
Old 06-12-2008, 11:27 AM   #3
mkono
Member
 
Registered: May 2008
Posts: 50

Original Poster
Rep: Reputation: 16
zQUEz,
Many thanks for the response. Sounds pretty straight forward. I do have a quick question. I navigate to my /etc/pam.d directory and find a TON of different files, do I have to be concerned with any of those other files or just the system-auth file?
Here is a copy of my current system-auth file; any ideas as to where and how to configure this to incorporate your suggested settings?

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so





Quote:
Originally Posted by zQUEz View Post
I use pam to achieve most of what you have asked for as follows:
file: /etc/pam.d/system-auth

The account section:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so

(that is 3 lines with no wrapping)
"minlen=8" --> 8 characters minimum (you can change as needed)
"remember=12" --> remembers the last 12 passwords and they can't be reused
"lcredit=-1" --> sets minimum number of lower characters to 1
"ucredit=-1" --> sets minimum numbers of upper characters to 1
"dcredit=-1" --> sets minimum number of digits to 1

file: /etc/login.defs
PASS_MAX_DAYS 120
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

These are self explainatory, though the "PASS_MIN_LEN" is superceded by the "minlen" in system-auth above. Also, making these changes won't affect existing users in terms of password expiry as their /etc/shadow entries have already been set. I believe if you made these changes, then forced users to reset their passwords, then they would fall under these restrictions - you would have to test this.

This is all on a Red Hat/Fedora based system but I gather pam is standard across the board.

I don't have the "lock accounts after failed logins", but this post appears to have the answer on that: http://www.linuxquestions.org/questi...-rhel5-624257/
 
Old 06-13-2008, 06:18 AM   #4
zQUEz
Member
 
Registered: Jun 2007
Distribution: Fedora, RHEL, Centos
Posts: 294

Rep: Reputation: 54
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)
 
Old 06-13-2008, 09:35 AM   #5
mkono
Member
 
Registered: May 2008
Posts: 50

Original Poster
Rep: Reputation: 16
zQUEz,
Great stuff man, many thanks for all the assistance! I actually decided to make the changes on a test box first

Your instructions were precise and thorough, probably the best assistance I have received on this site. I have not had any problems logging into the test box since making the changes, and I have successfully logged in as both root and a typical user.

Take a peak, at my gateway issue if you can, you sound like you know what you're talking about and I have yet to receive any helpful results from my post... Would appreciate any assistance you might be able to lend on that issue.

56 views and not one response yet...

Title is "Gateway"

Thanks again zQUEz, much respect.

Quote:
Originally Posted by zQUEz View Post
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)
 
Old 06-17-2008, 07:13 PM   #6
BSTU.UOK
LQ Newbie
 
Registered: Jun 2008
Location: Syria
Distribution: Debian,Red hat,openSUSE 11
Posts: 8

Rep: Reputation: 0
great...............
 
Old 06-20-2008, 01:30 PM   #7
akvino
Member
 
Registered: May 2007
Posts: 31

Rep: Reputation: 15
Quote:
Originally Posted by zQUEz View Post
With regards to the other files listed in /etc/pam.d, no you don't have to modify for this objective, though, PAM is a great tool, so at some stage you might want to troll through the doco. where you can find out what other changes to other files you can make. By the way, I don't think much of the man pages for PAM, but the usr doco under /usr/share/doc/pam-{version} is really good and detailed.

In your system-auth file, you see the three lines beginning with "password" ... those are the lines to modify. My example has a complete path to the reference pam files (e.g. /lib/security/$ISA/pam_cracklib.so) vs. your file that just has the filename (e.g. pam_cracklib.so). That shouldn't matter and I would stick with the format you have. So basically, you would only modify the 1st two "password" lines by tacking on the end of them, the varibles you need.

example: your first line: password requisite pam_cracklib.so try_first_pass retry=3
you might change to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1

All you are doing is adding parameters to what must be true for it to succeed.
Also, a note of caution that I wish now I had put in my first reply, make sure you have a seperate logged in, root session at all times. When you make the change, it won't affect people already logged in, only new people to login. Once you make any PAM changes, test that you can still login on another session. Test as a regular user, test as root (if you allow root logins) and test su and sudo if you use those. If they don't work, use your root session to put the PAM file back to how it was and start again.
You can easily make it impossible to login to your system if you don't get the PAM syntax correct. If you get into this situation, reboot the box into single user mode and replace your system-auth with the backup you no doubt made before tinkering with it. :-)
I got to tell you - very good reply. I actually learned something just by reading it...

Keep it up man!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
updating samba passwords with system passwords paranoid times Linux - Software 3 10-03-2006 10:04 PM
Sync MySQL passwords with local account passwords? turbine216 Linux - Software 2 02-18-2005 04:15 AM
Completely uninstalling MySQL and its passwords passwords...how? I locked myself out! Baix Linux - Newbie 2 01-30-2005 05:10 PM
Is there a way to sync Samba passwords with linux user passwords MarleyGPN Linux - Networking 2 09-09-2003 11:59 AM
Securing linux - How? Par4n0iA Linux - Security 3 07-20-2003 09:55 AM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 11:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration