Linux Password Policy
From Brandonhutchinson.com
(Difference between revisions)
(→Account Lockout) |
|||
| Line 1: | Line 1: | ||
The following examples are on a Red Hat Enterprise Linux AS 4 system. | The following examples are on a Red Hat Enterprise Linux AS 4 system. | ||
| - | == Password Aging == | + | === Password Aging === |
| - | === New Accounts === | + | ==== New Accounts ==== |
''/etc/login.defs'' and ''/etc/default/useradd'' are the files related to password aging on new accounts. | ''/etc/login.defs'' and ''/etc/default/useradd'' are the files related to password aging on new accounts. | ||
| Line 23: | Line 23: | ||
Note that '''PASS_MIN_LEN''' in ''/etc/login.defs'' has no effect. Minimum password length is controlled by the ''pam_cracklib'' module. If ''minlen='' is not specified in ''pam_cracklib'', the default minimum password length is 6 characters. | Note that '''PASS_MIN_LEN''' in ''/etc/login.defs'' has no effect. Minimum password length is controlled by the ''pam_cracklib'' module. If ''minlen='' is not specified in ''pam_cracklib'', the default minimum password length is 6 characters. | ||
| - | === Existing Accounts === | + | ==== Existing Accounts ==== |
''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it. | ''/usr/bin/chage'' is used to modify password aging on existing accounts. ''chage'' does not update the last password change field (field 3) in ''/etc/shadow'', so passwords could expire immediately after running it. | ||
| - | ==== Example ==== | + | ===== Example ===== |
User ''hutchib'' was already created with essentially no password aging (the default ''PASS_MAX_DAYS'' of 99999). To configure the following: | User ''hutchib'' was already created with essentially no password aging (the default ''PASS_MAX_DAYS'' of 99999). To configure the following: | ||
| Line 56: | Line 56: | ||
Connection to host closed. | Connection to host closed. | ||
| - | == Password Complexity == | + | === Password Complexity === |
Both ''pam_cracklib'' and ''pam_passwordqc'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack. | Both ''pam_cracklib'' and ''pam_passwordqc'' are modules used in enforcing password complexity. Although ''pam_passwordqc'' is more powerful, I'll be using ''pam_cracklib'' as its capabilities meet our site's needs and it is already in the PAM stack. | ||
| Line 65: | Line 65: | ||
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 '''minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0''' | password requisite /lib/security/$ISA/pam_cracklib.so retry=3 '''minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0''' | ||
| - | == Password History == | + | === Password History === |
Password history--i.e., preventing re-use of old passwords--may be enabled using both ''pam_unix'' (stores the old password) and ''pam_cracklib'' (prevents re-use). By default, password history is disabled. | Password history--i.e., preventing re-use of old passwords--may be enabled using both ''pam_unix'' (stores the old password) and ''pam_cracklib'' (prevents re-use). By default, password history is disabled. | ||
| Line 79: | Line 79: | ||
Relevant entry in bold in ''/etc/pam.d/system-auth'': | Relevant entry in bold in ''/etc/pam.d/system-auth'': | ||
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow '''remember=24''' | password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow '''remember=24''' | ||
| - | |||
| - | == Account Lockout == | ||
| - | |||
| - | Account lockout after a number of unsuccessful authentication attempts may be enabled using ''pam_tally''. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. | ||
| - | |||
| - | * Create the ''pam_tally'' store for failed login attempts. | ||
| - | # '''touch /var/log/faillog''' | ||
| - | # '''chown root:root /var/log/faillog''' | ||
| - | # '''chmod 600 /var/log/faillog''' | ||
| - | |||
| - | * Configure PAM. | ||
| - | Relevant entries in bold in ''/etc/pam.d/system-auth'': | ||
| - | auth required /lib/security/$ISA/pam_env.so | ||
| - | '''auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root''' | ||
| - | auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok | ||
| - | auth required /lib/security/$ISA/pam_deny.so | ||
| - | |||
| - | account required /lib/security/$ISA/pam_unix.so | ||
| - | account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet | ||
| - | account required /lib/security/$ISA/pam_permit.so | ||
| - | '''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset''' | ||
| - | |||
| - | * Run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron. | ||
| - | Example root crontab: | ||
| - | # Reset pam_tally counter twice hourly | ||
| - | 0,30 * * * * /usr/local/bin/reset_failed_logins | ||
== Links == | == Links == | ||
| Line 111: | Line 85: | ||
* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc] | * [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc] | ||
* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?] | * [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?] | ||
| - | * [http://sial.org/howto/linux/pam_tally/ http://sial.org/howto/linux/pam_tally/] | ||
* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM] | * [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM] | ||
Revision as of 21:33, 5 December 2007
The following examples are on a Red Hat Enterprise Linux AS 4 system.
Contents |
Password Aging
New Accounts
/etc/login.defs and /etc/default/useradd are the files related to password aging on new accounts.
/etc/login.defs:
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires.
/etc/default/useradd:
INACTIVE=-1 EXPIRE=
By default, password inactivity (i.e., the number of days after a password is expired in which a user can no longer reset it themselves) and an account expiration date are disabled.
Note that PASS_MIN_LEN in /etc/login.defs has no effect. Minimum password length is controlled by the pam_cracklib module. If minlen= is not specified in pam_cracklib, the default minimum password length is 6 characters.
Existing Accounts
/usr/bin/chage is used to modify password aging on existing accounts. chage does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.
Example
User hutchib was already created with essentially no password aging (the default PASS_MAX_DAYS of 99999). To configure the following:
- A minimum of 7 days between password changes.
- Password expiration after 90 days.
- Begin warning about password expiration 14 days in advance.
# /usr/bin/chage -m 7 -M 90 -W 14 hutchib
What happens when your password expires?
- If the account is inactive (see chage -I and field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.
e.g., /var/log/messages entry:
Dec 4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
- If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired. You must change your password now and login again! Changing password for user hutchib. Changing password for hutchib (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. Connection to host closed.
Password Complexity
Both pam_cracklib and pam_passwordqc are modules used in enforcing password complexity. Although pam_passwordqc is more powerful, I'll be using pam_cracklib as its capabilities meet our site's needs and it is already in the PAM stack.
Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.
Relevant entry in bold in /etc/pam.d/system-auth:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0
Password History
Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.
Example: Prevent re-use of each user's last 24 passwords.
- Create the password database store.
# touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 600 /etc/security/opasswd
- Configure PAM.
Relevant entry in bold in /etc/pam.d/system-auth:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24
