problems with pam password complexity

cj_cheema · 05-10-2010, 11:02 PM

Quote:

Originally Posted by jayemef

There is a config file you can edit for this. In most RedHat systems it is located at /etc/pam.d/system-auth. Being in Ubuntu at the moment, I can tell you it is at /etc/pam.d/common-password. Once you open the file, you should see a line that begins with the words password required. Here, you should hopefully see a min= or minlen= variable. Set it to the length you prefer.

Hi

I have configured the same system-auth file which resides in /etc/pam.d/

I am able get password policies:-
a. password cannot be on dictionary based or reverse dictionary based
b. password cannot be less then 8 characters
c. password cannot be repeated.
d. It remembers 12 previous passwords history.

But when I tried to check complexity the pam password complexity setting didn't work say
I have edited a line in system-auth "password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=0"

When I set the password on my mobile base for testing it set that password ideally if i configured the above settings in system-auth
the number password should not accept it should ask the user to user alphanumeric password that should not be on dictionary based.

please suggest..
regards
CJ

// cj_cheema, I've moved your post to its own thread. Please let dead threads rest in peace. --win32sux

slimm609 · 05-11-2010, 08:38 AM

***THIS WILL NOT WORK FOR ROOT PASSWORD OR IF ROOT CHANGES THE PASSWORD OF ANOTHER USER***

Code:

password    required      pam_cracklib.so try_first_pass retry=3 minlen=14 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2

for the credits it can be + or - numbers

(N >= 0) : This is the maximum credit for having digits in the new password
(N < 0) : This is the minimum number of digits that must be met for a new password.

difok=6: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one

dcredit=N : Digits characters
ucredit=N : Upper characters
lcredit=N : Lower characters
ocredit=N : Other characters

slimm609 · 05-11-2010, 08:52 AM

Trying to keep the info seperate so it doesnt get confusing.

If you want to make sure root follows the same password requirements as everyone else.

Here is the updated pam for RHEL or CENTOS 5.4 to make sure root plays nice.

32 bit http://oss.tresys.com/projects/clip/...2-6.1.i386.rpm

64 bit http://oss.tresys.com/projects/clip/...6.1.x86_64.rpm

source rpm http://oss.tresys.com/projects/clip/....2-6.1.src.rpm

the line in system-auth changes from

Code:

password required pam_cracklib.so try_first_pass retry=3 minlen=14 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2

to

Code:

password required pam_cracklib.so try_first_pass retry=3 minlen=14 difok=3 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2 enforce_root

and here is the pam patch for 0.99.6.2 please make sure you understand what you are doing before trying to patch pam

Code:

diff -ur ~/modules/pam_cracklib/pam_cracklib.c ./modules/pam_cracklib/pam_cracklib.c
--- ~/modules/pam_cracklib/pam_cracklib.c	2008-07-23 12:28:12.000000000 -0400
+++ ./modules/pam_cracklib/pam_cracklib.c	2008-07-24 06:25:30.000000000 -0400
@@ -96,6 +96,7 @@
 	int try_first_pass;
 	char prompt_type[BUFSIZ];
         char cracklib_dictpath[PATH_MAX];
+	int enforce_root;
 };
 
 #define CO_RETRY_TIMES  1
@@ -108,6 +109,7 @@
 #define CO_LOW_CREDIT   1
 #define CO_OTH_CREDIT   1
 #define CO_USE_AUTHTOK  0
+#define CO_ENFORCE_ROOT 0
 
 static int
 _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
@@ -166,6 +168,8 @@
 	 } else if (!strncmp(*argv,"dictpath=",9)) {
 	     strncpy(opt->cracklib_dictpath, *argv+9,
 		     sizeof(opt->cracklib_dictpath) - 1);
+	 } else if (!strncmp(*argv,"enforce_root",12)) {
+		  opt->enforce_root = 1;
 	 } else {
 	     pam_syslog(pamh,LOG_ERR,"pam_parse: unknown option; %s",*argv);
 	 }
@@ -521,6 +525,7 @@
     strcpy(options.prompt_type,"UNIX");
     memset(options.cracklib_dictpath, 0,
 	   sizeof (options.cracklib_dictpath));
+    options.enforce_root = CO_ENFORCE_ROOT;
 
     ctrl = _pam_parse(pamh, &options, argc, argv);
 
@@ -620,7 +625,7 @@
                 if (ctrl && PAM_DEBUG_ARG)
                     pam_syslog(pamh,LOG_DEBUG,"bad password: %s",crack_msg);
                 pam_error(pamh, _("BAD PASSWORD: %s"), crack_msg);
-                if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+                if (getuid() || options.enforce_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
                     retval = PAM_AUTHTOK_ERR;
                 else
                     retval = PAM_SUCCESS;
@@ -631,7 +636,7 @@
                     retval = _pam_unix_approve_pass(pamh,ctrl,&options,
                                                oldtoken,token1);
                     if (retval != PAM_SUCCESS) {
-                        if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+                        if (getuid() || options.enforce_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
 			    retval = PAM_AUTHTOK_ERR;
 			else
 			    retval = PAM_SUCCESS;

cj_cheema · 07-24-2010, 06:33 AM

Hi

I come again... Thanks for supports. I am facing another problem while configuring the system-auth file for setting user account locking after 3 fail attempts. But this configuration is not working means user are able to login still after 3 fail logins. Below are the configuration parameter which I have edited:

Quote:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

I have also tried this parameters which I got from http://www.puschitz.com/SecuringLinu...eckingAccounts but no success.

Quote:

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

Please guide where is the issue. Any alternate to achieve the user account locking system.

Thanks & Regards
CJ