Linux Password Policy

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(Account Lockout)
Current revision (15:35, 3 April 2009) (edit) (undo)
(RHEL 5 Example)
 
(15 intermediate revisions not shown.)
Line 25: Line 25:
=== Existing Accounts ===
=== Existing Accounts ===
-
''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it.
+
''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it. You may run it with the '''-d''' option to modify the last password change field in ''/etc/shadow''.
==== Example ====
==== Example ====
Line 56: Line 56:
Connection to host closed.
Connection to host closed.
-
== Password Complexity ==
+
== Password Length and Complexity ==
-
Both ''pam_cracklib'' and ''pam_passwordqc'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.
+
Both ''pam_cracklib'' and ''pam_passwdqc'' are modules used in enforcing password length and complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack.
Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.
Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.
Line 82: Line 82:
== Account Lockout ==
== Account Lockout ==
-
Account lockout after a number of unsuccessful authentication attempts may be enabled using ''pam_tally''. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset.
+
Account lockout after a number of unsuccessful authentication attempts may be enabled using ''pam_tally''. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (''reset'' option in PAM configuration).
* Create the ''pam_tally'' store for failed login attempts.
* Create the ''pam_tally'' store for failed login attempts.
Line 90: Line 90:
* Configure PAM.
* Configure PAM.
 +
 +
=== RHEL 3/4 Example ===
Relevant entries in bold in ''/etc/pam.d/system-auth'':
Relevant entries in bold in ''/etc/pam.d/system-auth'':
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_env.so
Line 101: Line 103:
'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''
'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''
-
* Run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron.
+
* ''pam_tally'' on RHEL 3/4 does not support the ''unlock_time'' parameter. Run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron to reset the number of failed logins.
Example root crontab:
Example root crontab:
# Reset pam_tally counter twice hourly
# Reset pam_tally counter twice hourly
0,30 * * * * /usr/local/bin/reset_failed_logins
0,30 * * * * /usr/local/bin/reset_failed_logins
 +
 +
=== RHEL 5 Example ===
 +
 +
Modifications needed for ''pam_tally2'' in RHEL 5:
 +
 +
* ''pam_tally2'' on RHEL 5 supports the ''unlock_time'' paramter.
 +
* ''deny'' is allowed in the ''auth'' phase only, not the ''account'' phase.
 +
* ''no_magic_root'' and ''reset'' are not valid options.
 +
 +
Relevant entries in bold in ''/etc/pam.d/system-auth'':
 +
auth required /lib/security/$ISA/pam_env.so
 +
'''auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=5 unlock_time=1800'''
 +
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
 +
auth required /lib/security/$ISA/pam_deny.so
 +
 +
account required /lib/security/$ISA/pam_unix.so
 +
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 +
account required /lib/security/$ISA/pam_permit.so
 +
'''account required /lib/security/$ISA/pam_tally.so'''
== Links ==
== Links ==
Line 111: Line 132:
* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc]
* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc]
* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?]
* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?]
-
* [http://sial.org/howto/linux/pam_tally/ http://sial.org/howto/linux/pam_tally/]
+
* [http://sial.org/howto/linux/pam_tally/ pam_tally configuration tips]
* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM]
* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM]

Current revision

The following examples are on a Red Hat Enterprise Linux AS 4 system.

Contents

Password Aging

New Accounts

/etc/login.defs and /etc/default/useradd are the files related to password aging on new accounts.

/etc/login.defs: 

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.

/etc/default/useradd: 

INACTIVE=-1
EXPIRE=

By default, password inactivity (i.e., the number of days after a password is expired in which a user can no longer reset it themselves) and an account expiration date are disabled.

Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. If minlen= is not specified in pam_cracklib, the default minimum password length is 6 characters.

Existing Accounts

/usr/bin/chage is used to modify password aging on existing accounts. chage does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it. You may run it with the -d option to modify the last password change field in /etc/shadow.

Example

User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:

  • A minimum of 7 days between password changes.
  • Password expiration after 90 days.
  • Begin warning about password expiration 14 days in advance. 
# /usr/bin/chage -m 7 -M 90 -W 14 hutchib

What happens when your password expires?

  • If the account is inactive (see chage -I and field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

e.g., /var/log/messages entry: 

Dec  4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
  • If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again. 
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password: 
New UNIX password:
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
Connection to host closed.

Password Length and Complexity

Both pam_cracklib and pam_passwdqc are modules used in enforcing password length and complexity. Although pam_passwordqc is more powerful, I'll be using pam_cracklib as its capabilities meet our site's needs and it is already in the PAM stack.

Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.

Relevant entry in bold in /etc/pam.d/system-auth: 

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0

Password History

Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.

Example: Prevent re-use of each user's last 24 passwords.

  • Create the password database store. 
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 600 /etc/security/opasswd
  • Configure PAM.

Relevant entry in bold in /etc/pam.d/system-auth: 

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24

Account Lockout

Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).

  • Create the pam_tally store for failed login attempts. 
# touch /var/log/faillog
# chown root:root /var/log/faillog
# chmod 600 /var/log/faillog
  • Configure PAM.

RHEL 3/4 Example

Relevant entries in bold in /etc/pam.d/system-auth: 

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
  • pam_tally on RHEL 3/4 does not support the unlock_time parameter. Run the reset_failed_logins script periodically from cron to reset the number of failed logins.

Example root crontab: 

# Reset pam_tally counter twice hourly
0,30 * * * * /usr/local/bin/reset_failed_logins

RHEL 5 Example

Modifications needed for pam_tally2 in RHEL 5:

  • pam_tally2 on RHEL 5 supports the unlock_time paramter.
  • deny is allowed in the auth phase only, not the account phase.
  • no_magic_root and reset are not valid options.

Relevant entries in bold in /etc/pam.d/system-auth: 

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail deny=5 unlock_time=1800
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_tally.so

Links

Retrieved from "http://brandonhutchinson.com/wiki/Linux_Password_Policy"
Personal tools