Linux Password Policy - Revision history

Hutch: /* RHEL 5 Example */

2009-04-03T15:35:12Z

RHEL 5 Example

←Older revision		Revision as of 15:35, 3 April 2009
Line 116:		Line 116:
	* ''no_magic_root'' and ''reset'' are not valid options.		* ''no_magic_root'' and ''reset'' are not valid options.

-	~~The relevant (e.g., RHEL 5) the relevant entry~~ in ''/etc/pam.d/system-auth'' ~~would be~~:	+	Relevant entries in bold in ''/etc/pam.d/system-auth'':
-	'''auth required /lib/security/$ISA/pam_tally.so onerr=fail ~~no_magic_root~~ unlock_time=1800'''	+	auth required /lib/security/$ISA/pam_env.so
		+	'''auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5 unlock_time=1800'''
		+	auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
		+	auth required /lib/security/$ISA/pam_deny.so
		+
		+	account required /lib/security/$ISA/pam_unix.so
		+	account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
		+	account required /lib/security/$ISA/pam_permit.so
		+	'''account required /lib/security/$ISA/pam_tally.so'''

	== Links ==		== Links ==

Hutch: /* RHEL 5 Example */

2009-04-03T15:33:05Z

RHEL 5 Example

←Older revision		Revision as of 15:33, 3 April 2009
Line 110:		Line 110:
	=== RHEL 5 Example ===		=== RHEL 5 Example ===

-	* ~~If your version of~~ ''~~pam_tally~~'' supports the ''unlock_time'' paramter (e.g., RHEL 5), the relevant entry in ''/etc/pam.d/system-auth'' would be:	+	Modifications needed for ''pam_tally2'' in RHEL 5:
		+
		+	* ''pam_tally2'' on RHEL 5 supports the ''unlock_time'' paramter.
		+	* ''deny'' is allowed in the ''auth'' phase only, not the ''account'' phase.
		+	* ''no_magic_root'' and ''reset'' are not valid options.
		+
		+	The relevant (e.g., RHEL 5) the relevant entry in ''/etc/pam.d/system-auth'' would be:
	'''auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root unlock_time=1800'''		'''auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root unlock_time=1800'''

Hutch: /* RHEL 3/4 Example */

2009-04-03T15:30:47Z

RHEL 3/4 Example

←Older revision		Revision as of 15:30, 3 April 2009
Line 103:		Line 103:
	'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''		'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''

-	* ~~If your version of~~ ''pam_tally'' does not support the ''unlock_time'' parameter~~, run~~ the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron~~. ''pam_tally'' from~~ the ~~''pam-0.77-66.5'' package in this example does not~~.	+	* ''pam_tally'' on RHEL 3/4 does not support the ''unlock_time'' parameter. Run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron to reset the number of failed logins.
	Example root crontab:		Example root crontab:
	# Reset pam_tally counter twice hourly		# Reset pam_tally counter twice hourly

Hutch: /* Account Lockout */

2009-04-03T15:29:59Z

Account Lockout

←Older revision		Revision as of 15:29, 3 April 2009
Line 90:		Line 90:

	* Configure PAM.		* Configure PAM.
		+
		+	=== RHEL 3/4 Example ===
	Relevant entries in bold in ''/etc/pam.d/system-auth'':		Relevant entries in bold in ''/etc/pam.d/system-auth'':
	auth required /lib/security/$ISA/pam_env.so		auth required /lib/security/$ISA/pam_env.so
Line 105:		Line 107:
	# Reset pam_tally counter twice hourly		# Reset pam_tally counter twice hourly
	0,30 * * * * /usr/local/bin/reset_failed_logins		0,30 * * * * /usr/local/bin/reset_failed_logins
		+
		+	=== RHEL 5 Example ===

	* If your version of ''pam_tally'' supports the ''unlock_time'' paramter (e.g., RHEL 5), the relevant entry in ''/etc/pam.d/system-auth'' would be:		* If your version of ''pam_tally'' supports the ''unlock_time'' paramter (e.g., RHEL 5), the relevant entry in ''/etc/pam.d/system-auth'' would be:

Hutch: /* Account Lockout */

2009-04-03T15:02:54Z

Account Lockout

←Older revision		Revision as of 15:02, 3 April 2009
Line 101:		Line 101:
	'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''		'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''

-	* ~~Run~~ the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron~~, unless your version of ''pam_tally'' supports the ''unlock_time'' parameter (~~''pam_tally'' from the ''pam-0.77-66.5'' package in this example does not).	+	* If your version of ''pam_tally'' does not support the ''unlock_time'' parameter, run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron. ''pam_tally'' from the ''pam-0.77-66.5'' package in this example does not.
	Example root crontab:		Example root crontab:
	# Reset pam_tally counter twice hourly		# Reset pam_tally counter twice hourly
	0,30 * * * * /usr/local/bin/reset_failed_logins		0,30 * * * * /usr/local/bin/reset_failed_logins
		+
		+	* If your version of ''pam_tally'' supports the ''unlock_time'' paramter (e.g., RHEL 5), the relevant entry in ''/etc/pam.d/system-auth'' would be:
		+	'''auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root unlock_time=1800'''

	== Links ==		== Links ==

Hutch: /* Existing Accounts */

2009-04-03T14:42:46Z

Existing Accounts

←Older revision		Revision as of 14:42, 3 April 2009
Line 25:		Line 25:
	=== Existing Accounts ===		=== Existing Accounts ===

-	''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'' ~~unless you use~~ the '''-d''' option~~, so passwords could expire immediately after running it~~.	+	''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it. You may run it with the '''-d''' option to modify the last password change field in ''/etc/shadow''.

	==== Example ====		==== Example ====

Hutch: /* Existing Accounts */

2009-04-03T14:41:04Z

Existing Accounts

←Older revision		Revision as of 14:41, 3 April 2009
Line 25:		Line 25:
	=== Existing Accounts ===		=== Existing Accounts ===

-	''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it.	+	''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'' unless you use the '''-d''' option, so passwords could expire immediately after running it.

	==== Example ====		==== Example ====

Hutch: /* Password Complexity */

2007-12-07T14:58:46Z

Password Complexity

←Older revision		Revision as of 14:58, 7 December 2007
Line 56:		Line 56:
	Connection to host closed.		Connection to host closed.

-	== Password Complexity ==	+	== Password Length and Complexity ==

-	Both ''pam_cracklib'' and ''pam_passwdqc'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.	+	Both ''pam_cracklib'' and ''pam_passwdqc'' are modules used in enforcing password length and complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.

	Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.		Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.

Hutch: /* Password Complexity */

2007-12-06T20:07:11Z

Password Complexity

←Older revision		Revision as of 20:07, 6 December 2007
Line 58:		Line 58:
	== Password Complexity ==		== Password Complexity ==

-	Both ''pam_cracklib'' and ''~~pam_passwordqc~~'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.	+	Both ''pam_cracklib'' and ''pam_passwdqc'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.

	Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.		Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.

Hutch: /* Links */

2007-12-06T01:55:05Z

Links

←Older revision		Revision as of 01:55, 6 December 2007
Line 111:		Line 111:
	* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc]		* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc]
	* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?]		* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?]
-	* [~~http://sial.org/howto/linux/pam_tally/~~ http://sial.org/howto/linux/pam_tally/ pam_tally configuration tips]	+	* [http://sial.org/howto/linux/pam_tally/ pam_tally configuration tips]
	* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM]		* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM]