2010-04-16

LINUX PASSWORD POLICY

1 Password strength:

  1. check pam module pam_cracklib.so in /lib/security
  2. edit /etc/pam.d/system-auth
    • password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
      retryattempts to pick new password
      minlenmin password length
      ucreditupper case -1 means at least 1
      lcreditlower case
      ocreditspecial character
      dcreditdigit


2 Password duration:

  • For new accounts default settings are in /etc/login.defs
  • Settings for current accounts are in /etc/shadow but we edit by command chage

2.1 chage

chage -l [user]check settings for user
chage -E "YYYY-MM-DD" [user]set date when account expire, -1 means never
chage -M [nr] [user]set maximum number of days between password change from last password change, -1 means never expire
chage -d "YYYY-MM-DD" [user]set last password change
chage -W [nr] [user]number of days of warning before password expires
chage -i [nr] [user]set password inactive, when account is blocked after password expire

3 Password repeat history:

  • edit /etc/pam.d/system-auth
    • password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2
      remembernumber of password in history file /etc/security/opasswd


4 Login attempts:

  • check pam module pam_tally2.so in /lib/security
  • edit /etc/pam.d/system-auth
    • auth required pam_tally2.so deny=3 unlock_time=60 lock_time=5
      denynumber of attempts to log without deny
      unlock_timetime in sec when next login attempt perform
      lock_timetime in sec when delay every failed login attempt
    • all logs about login attempts are in /var/log/tallylog but we edit by command pam_tally2

4.1 pam_tally2

pam_tally2 -u [user]check failed login attempts
pam_tally2 -r -u [user]reset failed login attempts
Etykiety: , ,