Linux Password Policy
From Brandonhutchinson.com
(Difference between revisions)
m |
|||
| Line 3: | Line 3: | ||
=== Password Aging === | === Password Aging === | ||
| - | + | ==== New Accounts ==== | |
| + | |||
| + | ''/etc/login.defs'' and ''/etc/default/useradd'' are the files related to password aging on new accounts. | ||
| + | |||
| + | ''/etc/default/login'': | ||
# Password aging controls: | # Password aging controls: | ||
# | # | ||
| Line 11: | Line 15: | ||
# PASS_WARN_AGE Number of days warning given before a password expires. | # PASS_WARN_AGE Number of days warning given before a password expires. | ||
| - | + | ''/etc/default/useradd'': | |
| + | INACTIVE=-1 | ||
| + | EXPIRE= | ||
| - | + | By default, password inactivity and expire date is disabled. | |
| - | = | + | Note that '''PASS_MIN_LEN''' in ''/etc/login.defs'' has no effect. Minimum password length is controlled by the ''pam_cracklib'' module. If ''minlen='' is not specified in ''pam_cracklib'', the default minimum password length is 6 characters. |
| - | User ''hutchib'' was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following: | + | ==== Existing Accounts ==== |
| + | |||
| + | ''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it. | ||
| + | |||
| + | ===== Example ===== | ||
| + | |||
| + | User ''hutchib'' was already created with essentially no password aging (the default ''PASS_MAX_DAYS'' of 99999). To configure the following: | ||
* A minimum of 7 days between password changes. | * A minimum of 7 days between password changes. | ||
| Line 24: | Line 36: | ||
'''# /usr/bin/chage -m 7 -M 90 -W 14 hutchib''' | '''# /usr/bin/chage -m 7 -M 90 -W 14 hutchib''' | ||
| - | |||
| - | Note that ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately. | ||
==== What happens when your password expires? ==== | ==== What happens when your password expires? ==== | ||
| - | * If the account is inactive (see '''chage -I''' and the | + | * If the account is inactive (see '''chage -I''' and the field 7 in ''/etc/shadow''), you will be unable to login and your password will have to be manually reset by an administrator. |
e.g., ''/var/log/messages'' | e.g., ''/var/log/messages'' | ||
| Line 52: | Line 62: | ||
=== Password History === | === Password History === | ||
| - | Password history--i.e., preventing re-use of old passwords-- | + | Password history--i.e., preventing re-use of old passwords--may be enabled using both ''pam_unix'' (stores the old password) and ''pam_cracklib'' (prevents re-use). By default, password history is disabled. |
| - | Example: Prevent re-use of | + | Example: Prevent re-use of each user's last 24 passwords. |
* Create the password database store. | * Create the password database store. | ||
Revision as of 22:43, 4 December 2007
The following examples are on a Red Hat Enterprise Linux AS 4 system.
Contents |
Password Aging
New Accounts
/etc/login.defs and /etc/default/useradd are the files related to password aging on new accounts.
/etc/default/login:
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires.
/etc/default/useradd:
INACTIVE=-1 EXPIRE=
By default, password inactivity and expire date is disabled.
Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. If minlen= is not specified in pam_cracklib, the default minimum password length is 6 characters.
Existing Accounts
/usr/bin/chage is used to modify password aging on existing accounts. chage does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.
Example
User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:
- A minimum of 7 days between password changes.
- Password expiration after 90 days.
- Begin warning about password expiration 14 days in advance.
# /usr/bin/chage -m 7 -M 90 -W 14 hutchib
What happens when your password expires?
- If the account is inactive (see chage -I and the field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.
e.g., /var/log/messages
Dec 4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
- If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted and you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired. You must change your password now and login again! Changing password for user hutchib. Changing password for hutchib (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. Connection to host closed.
Password Complexity
Password History
Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.
Example: Prevent re-use of each user's last 24 passwords.
- Create the password database store.
# touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 600 /etc/security/opasswd
- Configure PAM.
Relevant line in /etc/pam.d/system-auth:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24
