Solaris Password Policy

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(Account Lockout)
Current revision (17:28, 11 December 2007) (edit) (undo)
(Solaris SUNWssh Package Notes)
 
(21 intermediate revisions not shown.)
Line 1: Line 1:
-
The following steps are for Solaris 9, although are probably also applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in.
+
The following information is for a Solaris 9 system, although it should be applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in, obviating the need for third-party PAM modules.
== Password Aging ==
== Password Aging ==
Line 37: Line 37:
Connection to host closed.
Connection to host closed.
-
== Password Complexity ==
+
== Password Length and Complexity ==
-
The default Solaris install does provide ''pam_cracklib'' or ''pam_passwdqc''. If the default password complexity rules are insufficient, these PAM modules (preferably ''pam_passwdqc'') should be used.
+
Minimum password length is configured using the '''PASSLENGTH=''' value in ''/etc/default/passwd''.
 +
 
 +
The default Solaris install does not provide ''pam_cracklib'' or ''pam_passwdqc''. If the default password complexity rules are insufficient, these PAM modules (preferably ''pam_passwdqc'') should be used.
Default password complexity rules from ''passwd''(1):
Default password complexity rules from ''passwd''(1):
Line 83: Line 85:
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password requisite pam_authtok_check.so.1
-
'''other password requisite pam_history.so.1 func=$1$'''
+
'''other password requisite pam_history.so.1 history=24 func=$1$'''
other password required pam_authtok_store.so.1
other password required pam_authtok_store.so.1
-
The '''func=$1$''' is used to store the passwords in MD5 format in the password history database. By default, they would be stored in ''crypt'' format with only 8 characters of significance.
+
The '''history=24''' option sets the password history to 24 instead of the default 5. This is actually not needed, as the value specified in ''mkhistory'' supersedes this value, but it prevents a syslog error message.
 +
 
 +
The '''func=$1$''' option is used to store the passwords in MD5 format in the password history database. By default, they would be stored in ''crypt'' format with only 8 characters of significance.
The '''func=''' option is only available in COMSpamph for Solaris 9 and later. See the [http://www.comsmiths.com.au/pam/v1.05/COMSpam_1.05.release_notes.pdf Documentation and release notes] for more information.
The '''func=''' option is only available in COMSpamph for Solaris 9 and later. See the [http://www.comsmiths.com.au/pam/v1.05/COMSpam_1.05.release_notes.pdf Documentation and release notes] for more information.
-
==== Problems with PAM_history ====
+
==== Problems with pam_history ====
-
Although the ''PAM_history'' module works in preventing password re-use, I experience the following two problems on my Solaris 9 SPARC system.
+
Although the ''pam_history'' module works in preventing password re-use, I experience the following two problems on my Solaris 9 SPARC system.
* ''/usr/local/sbin/mkhistory'' always returns a last change date of the epoch.
* ''/usr/local/sbin/mkhistory'' always returns a last change date of the epoch.
Line 109: Line 113:
== Account Lockout ==
== Account Lockout ==
-
Account lockout after a number of unsuccessful authentication attempts may be enabled using the third-party PAM module ''pam_login_limit''[http://www.comsmiths.com.au/pam/v1.05/].
+
Account lockout after a number of unsuccessful authentication attempts may be enabled using the third-party PAM module ''pam_login_limit''[http://www.comsmiths.com.au/pam/v1.05/]. In this example, accounts are locked out for 30 minutes after 5 failed login attempts. During this 30 minutes, any authentication attempts for the user account, both successful or unsuccessful, will reset the 30 minute timer.
-
may be enabled using ''pam_tally''. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (''reset'' option in PAM configuration).
+
To enable account lockout:
-
* Create the ''pam_tally'' store for failed login attempts.
+
* Install the COMSpamll package.
-
# '''touch /var/log/faillog'''
+
-
# '''chown root:root /var/log/faillog'''
+
-
# '''chmod 600 /var/log/faillog'''
+
* Configure PAM.
* Configure PAM.
-
Relevant entries in bold in ''/etc/pam.d/system-auth'':
 
-
auth required /lib/security/$ISA/pam_env.so
 
-
'''auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root'''
 
-
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
 
-
auth required /lib/security/$ISA/pam_deny.so
 
-
 
-
account required /lib/security/$ISA/pam_unix.so
 
-
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
 
-
account required /lib/security/$ISA/pam_permit.so
 
-
'''account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset'''
 
-
* Run the [http://sial.org/howto/linux/pam_tally/reset_failed_logins reset_failed_logins] script periodically from cron, unless your version of ''pam_tally'' supports the ''unlock_time'' parameter (''pam_tally'' from the ''pam-0.77-66.5'' package in this example does not).
+
Relevant entries in bold in ''/etc/pam.conf'':
-
Example root crontab:
+
 
-
# Reset pam_tally counter twice hourly
+
Lines preceding ''pam_login_limit'' must be a ''sufficient'' control. The order of ''pam_dial_auth'' and ''pam_unix_auth'' are switched to accommodate this. If not specified, the default '''count_limit''' is 3.
-
0,30 * * * * /usr/local/bin/reset_failed_logins
+
 
 +
login auth requisite pam_authtok_get.so.1
 +
login auth required pam_dhkeys.so.1
 +
'''login auth required pam_dial_auth.so.1'''
 +
'''login auth sufficient pam_unix_auth.so.1'''
 +
'''login auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800'''
 +
 
 +
ssh does not use the PAM ''login'' service unless '''UseLogin yes''' is defined in ''sshd_config''. ssh uses the ''sshd'' PAM login service if it's defined, or ''other'' if not.
 +
 
 +
other auth requisite pam_authtok_get.so.1
 +
other auth required pam_dhkeys.so.1
 +
'''other auth sufficient pam_unix_auth.so.1'''
 +
'''other auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800'''
 +
 
 +
The following line in bold resets the failed login count after a successful login.
 +
 
 +
'''other account required pam_login_limit.so.1 count_limit=5 timeout_account=1800'''
 +
other account requisite pam_roles.so.1
 +
other account required pam_projects.so.1
 +
other account required pam_unix_account.so.1
 +
 
 +
The following optional line in bold resets the failed login count after a successful password change. Without this line, if an administrator resets the password, the user will still have to wait '''timeout_account''' seconds until the password is unlocked. Or, the administrator could manually run '''/usr/local/sbin/login_account -c ''user''''' to clear the counter.
 +
other password required pam_dhkeys.so.1
 +
other password requisite pam_authtok_get.so.1
 +
other password requisite pam_authtok_check.so.1
 +
other password requisite pam_history.so.1 history=24 func=$1$
 +
other password required pam_authtok_store.so.1
 +
'''other password optional pam_login_limit.so.1'''
 +
 
 +
=== OpenSSH Changes ===
 +
 
 +
If you are using OpenSSH:
 +
* Make sure PAM support is enabled by setting '''UsePAM yes''' in ''sshd_config''.
 +
* You may want to disable password authentication by setting '''PasswordAuthentcation no''' in ''sshd_config''. Without this, you will be prompted two additional times for your password if your account is locked (although you still won't be able to authenticate).
 +
 
 +
With '''PasswordAuthentication yes''':
 +
 
 +
$ '''ssh hutchib@host'''
 +
Password:
 +
Password:
 +
Password:
 +
'''hutchib@host's password:'''
 +
Permission denied, please try again.
 +
'''hutchib@host's password:'''
 +
Received disconnect from 10.209.180.14: 2: Too many authentication failures for hutchib
 +
 
 +
With '''PasswordAuthentication no''':
 +
 
 +
$ '''ssh hutchib@host'''
 +
Password:
 +
Password:
 +
Password:
 +
Permission denied (publickey,keyboard-interactive,hostbased).
 +
 
 +
=== Solaris SUNWssh Package Notes ===
 +
 
 +
* The appropriate directive to enable PAM with SUNWssh is '''PAMAuthenticationViaKBDInt yes'''.
 +
 
 +
* At least with ''pam_login_limit'' with Solaris 9 SUNWssh, a ''pam_login_limit'' failure is generated even before a password is entered.
 +
 
 +
Example:
 +
$ ssh hutchib@host
 +
hutchib@host's password:
 +
 
 +
Before even entering a password, ''/usr/local/sbin/login_limit'' on ''host'' counts one login limit failure.
 +
# '''/usr/local/sbin/login_limit'''
 +
hutchib: 1 Tue Dec 11 12:01:41 2007 No Timeout Set
 +
 
 +
''syslog'' message:
 +
Dec 11 12:01:41 host sshd[20260]: [ID 122574 auth.notice] pam_login_limit(auth): Unsuccessful attempt 1 for user 'hutchib'
 +
 
 +
Therefore, an appropriate ''count_limit'' for this server is 7:
 +
1 -- ''ssh user@host''
 +
2 -- Failed login attempt 1
 +
3 -- Failed login attempt 2
 +
4 -- Failed login attempt 3; disconnected
 +
5 -- ''ssh user@host''
 +
6 -- Failed login attempt 4
 +
7 -- Failed login attempt 5
 +
 
 +
== Storing Passwords in MD5 Format ==
 +
 
 +
With Solaris 9 12/02 and later, user passwords may be stored in a format other than ''crypt_unix'' by modifying ''/etc/security/policy.conf''. Changing the default encryption algorithm allows passwords to have more than 8 significant characters; with ''crypt_unix'', ''password'' and ''password1'' are the same password.
 +
 
 +
To begin storing user passwords in ''crypt_bsdmd5'', make the following change in ''/etc/security/policy.conf''.
 +
#CRYPT_DEFAULT=__unix__
 +
'''CRYPT_DEFAULT=1'''
== Links ==
== Links ==
-
* [http://articles.techrepublic.com.com/5100-1035-6113711.html Enable password aging on Linux systems]
+
* [http://docs.sun.com/app/docs/doc/817-0365/6mg5vpmc1?a=view Changing the Default Algorithm for Password Encryption]
-
* [http://articles.techrepublic.com.com/5100-1035_11-6111316.html?tag=rbxccnbtr1 Enforce strong passwords with pam_passwdqc]
+
* [http://www.comsmiths.com.au/pam/v1.05/ PAM Modules Version 1.05]
-
* [http://kbase.redhat.com/faq/FAQ_44_4047.shtm How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?]
+
* [http://www.comsmiths.com.au/pam/COMSpam_faq PAM Modules FAQ]
-
* [http://sial.org/howto/linux/pam_tally/ pam_tally configuration tips]
+
-
* [http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html Strong Passwords with PAM]
+

Current revision

The following information is for a Solaris 9 system, although it should be applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in, obviating the need for third-party PAM modules.

Contents

Password Aging

New Accounts

/etc/default/passwd is the file related to password aging on new accounts.

  • MAXWEEKS= is the maximum number of weeks a password may be used.
  • MINWEEKS= is the minimum number of weeks allowed between password changes.
  • WARNWEEKS= (not present by default) is the number of weeks' warning given before a password expires.

Existing Accounts

/usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.

Example

User hutchib was already created with no password aging (MAXWEEKS= in /etc/default/passwd). To configure the following:

  • A minimum of 7 days between password changes.
  • Password expiration after 90 days.
  • Begin warning about password expiration 14 days in advance.
# /usr/bin/passwd -n 7 -w 14 -x 90 hutchib

What happens when your password expires?

When your password expires, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.

WARNING: Your password has expired.
You must change your password now and login again!
passwd: Changing password for hutchib
Enter existing login password: 
New Password: 
Re-enter new Password: 
passwd: password successfully changed for hutchib
Connection to host closed.

Password Length and Complexity

Minimum password length is configured using the PASSLENGTH= value in /etc/default/passwd.

The default Solaris install does not provide pam_cracklib or pam_passwdqc. If the default password complexity rules are insufficient, these PAM modules (preferably pam_passwdqc) should be used.

Default password complexity rules from passwd(1):

    Passwords must be constructed to meet the following require-
    ments:

       o  Each password must have PASSLENGTH  characters,  where
          PASSLENGTH  is  defined  in /etc/default/passwd and is
          set to 6. Only the first eight characters are signifi-
          cant.

       o  Each password must contain  at  least  two  alphabetic
          characters and at least one numeric or special charac-
          ter. In this case, "alphabetic" refers to all upper or
          lower case letters.

       o  Each password must differ from the user's  login  name
          and  any reverse or circular shift of that login name.
          For comparison purposes, an upper case letter and  its
          corresponding lower case letter are equivalent.

       o  New passwords must differ from the  old  by  at  least
          three  characters.  For  comparison purposes, an upper
          case letter and its corresponding  lower  case  letter
          are equivalent.

Password History

Password history--i.e., preventing re-use of old passwords--may be enabled using the third-party PAM module pam_history[1]

Example: Prevent re-use of each user's last 24 passwords.

  • Install the COMSpamph package.
  • Create a password history database that will store 24 passwords. Without this step, only 5 passwords would be stored.
# /usr/local/sbin/mkhistory -c -h 24
  • Configure PAM.

Relevant entry in bold in /etc/pam.conf:

other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password requisite      pam_history.so.1 history=24 func=$1$
other   password required       pam_authtok_store.so.1

The history=24 option sets the password history to 24 instead of the default 5. This is actually not needed, as the value specified in mkhistory supersedes this value, but it prevents a syslog error message.

The func=$1$ option is used to store the passwords in MD5 format in the password history database. By default, they would be stored in crypt format with only 8 characters of significance.

The func= option is only available in COMSpamph for Solaris 9 and later. See the Documentation and release notes for more information.

Problems with pam_history

Although the pam_history module works in preventing password re-use, I experience the following two problems on my Solaris 9 SPARC system.

  • /usr/local/sbin/mkhistory always returns a last change date of the epoch.
# /usr/local/sbin/mkhistory
         hutchib:       Wed Dec 31 18:00:00 1969
  • A non-descriptive error message--"Please try again"--is returned when attempting to re-use a password in the history.
$ passwd
passwd: Changing password for hutchib
Enter existing login password: 
New Password: 

Please try again
New Password:

Account Lockout

Account lockout after a number of unsuccessful authentication attempts may be enabled using the third-party PAM module pam_login_limit[2]. In this example, accounts are locked out for 30 minutes after 5 failed login attempts. During this 30 minutes, any authentication attempts for the user account, both successful or unsuccessful, will reset the 30 minute timer.

To enable account lockout:

  • Install the COMSpamll package.
  • Configure PAM.

Relevant entries in bold in /etc/pam.conf:

Lines preceding pam_login_limit must be a sufficient control. The order of pam_dial_auth and pam_unix_auth are switched to accommodate this. If not specified, the default count_limit is 3.

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_login_limit.so.1 count_limit=5 timeout_account=1800

ssh does not use the PAM login service unless UseLogin yes is defined in sshd_config. ssh uses the sshd PAM login service if it's defined, or other if not.

other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_login_limit.so.1 count_limit=5 timeout_account=1800

The following line in bold resets the failed login count after a successful login.

other   account required        pam_login_limit.so.1 count_limit=5 timeout_account=1800
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1

The following optional line in bold resets the failed login count after a successful password change. Without this line, if an administrator resets the password, the user will still have to wait timeout_account seconds until the password is unlocked. Or, the administrator could manually run /usr/local/sbin/login_account -c user to clear the counter.

other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password requisite      pam_history.so.1 history=24 func=$1$
other   password required       pam_authtok_store.so.1
other   password optional       pam_login_limit.so.1

OpenSSH Changes

If you are using OpenSSH:

  • Make sure PAM support is enabled by setting UsePAM yes in sshd_config.
  • You may want to disable password authentication by setting PasswordAuthentcation no in sshd_config. Without this, you will be prompted two additional times for your password if your account is locked (although you still won't be able to authenticate).

With PasswordAuthentication yes:

$ ssh hutchib@host
Password: 
Password: 
Password: 
hutchib@host's password: 
Permission denied, please try again.
hutchib@host's password: 
Received disconnect from 10.209.180.14: 2: Too many authentication failures for hutchib

With PasswordAuthentication no:

$ ssh hutchib@host
Password: 
Password: 
Password: 
Permission denied (publickey,keyboard-interactive,hostbased).

Solaris SUNWssh Package Notes

  • The appropriate directive to enable PAM with SUNWssh is PAMAuthenticationViaKBDInt yes.
  • At least with pam_login_limit with Solaris 9 SUNWssh, a pam_login_limit failure is generated even before a password is entered.

Example:

$ ssh hutchib@host
 hutchib@host's password:

Before even entering a password, /usr/local/sbin/login_limit on host counts one login limit failure.

# /usr/local/sbin/login_limit
         hutchib: 1       Tue Dec 11 12:01:41 2007       No Timeout Set

syslog message:

Dec 11 12:01:41 host sshd[20260]: [ID 122574 auth.notice] pam_login_limit(auth): Unsuccessful attempt 1 for user 'hutchib'

Therefore, an appropriate count_limit for this server is 7:

1 -- ssh user@host
2 -- Failed login attempt 1
3 -- Failed login attempt 2
4 -- Failed login attempt 3; disconnected
5 -- ssh user@host
6 -- Failed login attempt 4
7 -- Failed login attempt 5

Storing Passwords in MD5 Format

With Solaris 9 12/02 and later, user passwords may be stored in a format other than crypt_unix by modifying /etc/security/policy.conf. Changing the default encryption algorithm allows passwords to have more than 8 significant characters; with crypt_unix, password and password1 are the same password.

To begin storing user passwords in crypt_bsdmd5, make the following change in /etc/security/policy.conf.

#CRYPT_DEFAULT=__unix__
CRYPT_DEFAULT=1

Links

Personal tools