Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
09-13-2006, 09:52 AM
|
#1
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Rep:
|
password complexity
hi i was told initially to make changes in /etc/pam.d/system-auth config file for complexity(lcredit=-1,uccredit=1,lccredit=1.....)this is not working on my system.
i have Fedora core release 3(Heidelberg)
kernel 2.6.9-1.667 on 1686.
is there any other procedure to achieve complexity?
|
|
|
09-13-2006, 10:37 AM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
this is not working on my system.
- what where the errors?
- did you try in debugmode?
- how did you test?
- what are the contents of you /etc/pam.d/system-auth?
|
|
|
09-14-2006, 01:34 AM
|
#3
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
hi.these are the contents of my /etc/pam.d/system-auth config file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
i set the parameters minlen,dcredit,ucredit,lcredit,ocredit,difok to their values.
minlen is working fine.but when i created a new user and
set the password as 'aaaaaa',it is being accepted.it should not isn't it?bcoz the password:
* Must be at least 6 characters and utmost 12 characters
* Must contain at least one one lower case letter, one upper case letter, one digit and one special character
* Valid special characters are - @#$%^&+=
what do i do now???
|
|
|
09-14-2006, 06:36 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=-2
AFAIK the docs say nothing about using negative values, only integers.
when i created a new user and set the password as 'aaaaaa',it is being accepted.it should not isn't it?
Yes it should since you're root.
what do i do now?
This should work. Touch /etc/security/opasswd to enable remembering used passes. Now if there's a possibility for them to hand you an initial password you could set that, else set one yourself. Then expire the account, forcing them to set a new one on login. The cracklib settings should apply now.
|
|
|
09-14-2006, 07:53 AM
|
#5
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
hi sir.well actually i m not logging in as root but as the new user i created and yet the password gets accepted in whichever fashion i give.
also the file /etc/security/opasswd is empty in my system(no such thing as remembering used passes).
finally what values should i set,if not negative values
in /etc/pam.d/system-auth?
|
|
|
09-14-2006, 08:35 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values.
|
|
|
09-15-2006, 01:20 AM
|
#7
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
hi sir.thanks for your help so far.i've tried positive values as well.still doesn't work.what to do next??
|
|
|
09-17-2006, 07:19 AM
|
#8
|
Member
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99
Rep:
|
Quote:
Originally Posted by unSpawn
finally what values should i set,if not negative values in /etc/pam.d/system-auth?
Try positive, whole values.
|
It should work with negative values:
dcredit=-1 - minimum one digit
ucredit=-1 - minimum one uppercase letter
lcredit=-1 - minimum one lowercase letter
ocredit=-1 - minimum one 'other' character
I am using debian and added the following two lines to /etc/pam.d/common-password
password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
password required pam_unix.so use_authtok nullok md5
I am not an expert on this but have you looked in the /etc/pam.d directory for a file called passwd? The file /etc/pam.d/passwd should have the following line to include the rules in /etc/pam.d/common-password
@include common-password
(or maybe in your case @include system-auth)
kind regards,
kingka
|
|
|
09-18-2006, 01:34 AM
|
#9
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
hi sir.these are the contents of my /etc/pam.d/passwd file:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
As you can see,there is no @include system-auth.
what is to be done now??
also one more important thing sir,in the config file,
/etc/pam.d/system-auth,it is mentioned in the beginning like this:
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Is it something to do with this?If so,what is to be done?
Any help would be greatly appreciated??thank u
|
|
|
09-18-2006, 02:19 AM
|
#10
|
Member
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99
Rep:
|
Got this from google: "Authconfig is a terminal mode program which can configure a workstation to use shadow passwords."
So I guess authconfig is only run when you install/upgrade the shadow suite.
My common-password file has only the 2 rules I told about in my previous post, while your system-auth file has other things in it as well.
Maybe you should create a new file in /etc/pam.d (say common-password) and include that file in /etc/pam.d/passwd or you can add the 2 rules directly in /etc/pam.d/passwd instead of using @include
Ah and your /etc/pam.d/passwd didn't say anything about being auto-generated? So it's probably your best option to use another config file or passwd directly and not system-auth.
Last edited by kingka; 09-18-2006 at 02:23 AM.
|
|
|
09-18-2006, 03:49 AM
|
#11
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
hello sir.thanks for your help so far.But i think u missed a statement there.i clearly mentioned in my previous post that there is this statement in /etc/pam.d/system-auth:
#This file is auto-generated.
#user changes will be destroyed the next time authconfig is run
also what are the two rules you are talking about?
you only asked me to include @include system-auth in
/etc/pam.d/passwd
|
|
|
09-18-2006, 04:11 AM
|
#12
|
Member
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99
Rep:
|
Enter these two lines in /etc/pam.d/passwd :
password required pam_cracklib.so retry=3 minlen=7 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
password required pam_unix.so use_authtok nullok md5
You shouldn't have '@include system-auth' in /etc/pam.d/passwd if you enter the rules in /etc/pam.d/passwd itself.
Reboot.
Change your password with passwd and see if it still accepts simple passwords.
|
|
|
09-18-2006, 06:32 AM
|
#13
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
still doesn't work sir.i've done exactly as u told me to.
after rebooting i create a new user as 'user1' and a new password which is 'xxxxxxx'and its getting accepted.it should not accept this password isn't it?i am even able to login with this new username and password.
what do i do now?
|
|
|
09-18-2006, 07:03 AM
|
#14
|
Member
Registered: Aug 2003
Location: mechelen (belgium)
Distribution: debian gnu/linux (sid)
Posts: 99
Rep:
|
Login as the user you have just created.
Enter passwd to change the user's password and see if you can still choose a simple password such as 'xxxxxx'.
Why I ask you this?
By adding the rules to /etc/pam.d/passwd the rules only apply to the passwd command. Not to commands used to create new users (e.g. useradd).
|
|
|
09-19-2006, 05:37 AM
|
#15
|
LQ Newbie
Registered: Sep 2006
Posts: 24
Original Poster
Rep:
|
ok seems to me like its working.thanks very much for your help sir.
|
|
|
All times are GMT -5. The time now is 10:24 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|