LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-02-2005, 02:02 PM   #1
scottjwoodford
LQ Newbie
 
Registered: Jun 2005
Posts: 27

Rep: Reputation: 15
Linux Password Controls


I'm having an issue with password controls. I'd like to avoid installing additional PAM's if I can. I'd like to use RedHat's built-in functionality for applying some control on passwords. Please keep in mind that I'm an extreme newbie, so I tend to need more explaining.

Systems: RedHat 8.0 & RedHat 9.0

Here's what I have done so far. I have created a user with the following:

Username: "scott"
Password: "pass123456$"

I want the user to log on to the system for the first time using a password I supply to him (in this case "pass123456$"), and be forced to change that password by the system. I want the system to force the user's password to be:

1 - 11 chars in length, or longer
2 - Contain 1 number
3 - Contain 1 special char like "$"

I also want all future password changes that the user invokes, or that the system forces, to follow those rules. So far, I've edited the file "/etc/pam.d/system-auth" to show the following:

***************************************
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=11 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
****************************************

I've also tried several variations of this, such as "minlen=10 dcredit=1 ocredit=1".

I have tried running the following commands to force a change at initial login:

usermod –L scott
chage –d 0 scott
usermod –p “” scott

The commands above DO force the user to change his/her pass at first login, but it removes the password I previously set and doesn't require an initial password. This is NOT what I want. I want the user to have to enter the password that I give him, THEN be forced to change it.

More importantly, the password rules I set in "/etc/pam.d/system-auth" do not apply. User "scott" can successfully change his/her password to "helloworld" when he logs on, which shouldn't be the case.

Last, but not least, I would love to know how to get the user's account locked out for a period of 15 minutes after 3 consecutive, unsuccessful logons.

Any help you can provide would be greatly appreciated. Thanks!,

Scott
 
Old 06-03-2005, 01:38 AM   #2
cyrilrip
LQ Newbie
 
Registered: May 2005
Distribution: fedora core 2
Posts: 3

Rep: Reputation: 0
Hello Scott,

I can't answer all your questions but the account lockout feature. For that, you need to stack the pam_tally
module: see http://www.kernel.org/pub/linux/libs...-6.html#ss6.24

Hope this helps !
 
Old 06-03-2005, 10:52 AM   #3
scottjwoodford
LQ Newbie
 
Registered: Jun 2005
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks Cyril.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
realplayer controls in Linux shiroor Linux - Software 3 03-12-2009 05:35 AM
Basic linux controls masthopesucks Slackware 17 12-13-2004 12:35 AM
Linux unencumbered by US export controls? TongueTied Linux - General 5 02-23-2004 01:24 PM
Parental controls on Linux emwood General 3 12-16-2003 06:39 PM
treble & base controls in linux king8 Linux - Hardware 2 11-14-2003 09:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration