Linux Password Policy

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
m
Line 3: Line 3:
=== Password Aging ===
=== Password Aging ===
-
* ''/etc/login.defs'' for new accounts.
+
==== New Accounts ====
 +
 
 +
''/etc/login.defs'' and ''/etc/default/useradd'' are the files related to password aging on new accounts.
 +
 
 +
''/etc/default/login'':
# Password aging controls:
# Password aging controls:
#
#
Line 11: Line 15:
# PASS_WARN_AGE Number of days warning given before a password expires.
# PASS_WARN_AGE Number of days warning given before a password expires.
-
Note that '''PASS_MIN_LEN''' in ''/etc/login.defs'' has no effect. Minimum password length is controlled by the ''pam_cracklib'' module. Note that if ''minlen='' is not specified in ''pam_cracklib'', I believe the default minimum password length is 6 characters.
+
''/etc/default/useradd'':
 +
INACTIVE=-1
 +
EXPIRE=
-
* ''/usr/bin/chage'' for existing accounts.
+
By default, password inactivity and expire date is disabled.
-
==== Existing account example ====
+
Note that '''PASS_MIN_LEN''' in ''/etc/login.defs'' has no effect. Minimum password length is controlled by the ''pam_cracklib'' module. If ''minlen='' is not specified in ''pam_cracklib'', the default minimum password length is 6 characters.
-
User ''hutchib'' was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:
+
==== Existing Accounts ====
 +
 
 +
''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it.
 +
 
 +
===== Example =====
 +
 
 +
User ''hutchib'' was already created with essentially no password aging (the default ''PASS_MAX_DAYS'' of 99999). To configure the following:
* A minimum of 7 days between password changes.
* A minimum of 7 days between password changes.
Line 24: Line 36:
'''# /usr/bin/chage -m 7 -M 90 -W 14 hutchib'''
'''# /usr/bin/chage -m 7 -M 90 -W 14 hutchib'''
- 
-
Note that ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately.
 
==== What happens when your password expires? ====
==== What happens when your password expires? ====
-
* If the account is inactive (see '''chage -I''' and the 7th field in ''/etc/shadow''), you will be unable to login and your password will have to be manually reset by an administrator.
+
* If the account is inactive (see '''chage -I''' and the field 7 in ''/etc/shadow''), you will be unable to login and your password will have to be manually reset by an administrator.
e.g., ''/var/log/messages''
e.g., ''/var/log/messages''
Line 52: Line 62:
=== Password History ===
=== Password History ===
-
Password history--i.e., preventing re-use of old passwords--is maintained using both ''pam_unix'' (stores the old password) and ''pam_cracklib'' (prevents re-use). By default, password history is disabled.
+
Password history--i.e., preventing re-use of old passwords--may be enabled using both ''pam_unix'' (stores the old password) and ''pam_cracklib'' (prevents re-use). By default, password history is disabled.
-
Example: Prevent re-use of the user's last 24 passwords.
+
Example: Prevent re-use of each user's last 24 passwords.
* Create the password database store.
* Create the password database store.

Revision as of 22:43, 4 December 2007

The following examples are on a Red Hat Enterprise Linux AS 4 system.

Contents

Password Aging

New Accounts

/etc/login.defs and /etc/default/useradd are the files related to password aging on new accounts.

/etc/default/login:

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.

/etc/default/useradd:

INACTIVE=-1
EXPIRE=

By default, password inactivity and expire date is disabled.

Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. If minlen= is not specified in pam_cracklib, the default minimum password length is 6 characters.

Existing Accounts

/usr/bin/chage is used to modify password aging on existing accounts. chage does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.

Example

User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:

  • A minimum of 7 days between password changes.
  • Password expiration after 90 days.
  • Begin warning about password expiration 14 days in advance.
# /usr/bin/chage -m 7 -M 90 -W 14 hutchib

What happens when your password expires?

  • If the account is inactive (see chage -I and the field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

e.g., /var/log/messages

Dec  4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
  • If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted and you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password: 
New UNIX password:
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
Connection to host closed.

Password Complexity

Password History

Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.

Example: Prevent re-use of each user's last 24 passwords.

  • Create the password database store.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 600 /etc/security/opasswd
  • Configure PAM.

Relevant line in /etc/pam.d/system-auth:

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24

Links

Personal tools