-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpassword_aging.html
159 lines (149 loc) · 7.14 KB
/
password_aging.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<html>
<head>
<title>Password settings on Linux</title>
<link rel=stylesheet type="text/css" href="css/style.css">
</head>
<body>
<h3>Password settings on Linux</h3>
<p>
The password/# settings covers the following subjects:
<ul>
<li><a href=#AGING>Password aging</a></li>
<li><a href=#COMPLEX>Password complexity</a></li>
<li><a href=#LOCK>Locking User accounts</a></li>
<li><a href=#ACCESS>User access</a></li>
</ul>
</p>
<br><hr><br>
<p>
<a name=AGING></a><h4>Password aging</h4>
Password aging should be set on user accounts and not on the application or system accounts. Changes
to the latter accounts are initiated by Heat tickets.<br>
There are 2 approaches for password aging. The first approach is to change the settings in <b>/etc/#.defs</b>
and then change the system and application accounts with the <b>chage</b> utility to disable password aging for these accounts.
The second approach is to use the <b>chage</b> utility to set password aging on the user accounts. Because of the limited
number of user accounts and the way the accounts are monitored the second approach has been choosen:
<ul>
<li><b>chage -l $USER</b></li>
<li><b>chage -m 7 $USER</b></li>
<li><b>chage -M 60 $USER</b></li>
<li><b>chage -l $USER</b></li>
</ul>
</p>
<p>
<a name=COMPLEX></a><h4>Password complexity</h4>
Default settings on the RedHat Linux OS is to force a password of 9 characters which is not based on a dictionary word.
Although this is confirm $COMPANY requirements a better setting would be to enforce a mixture of uppercase, lowercase and digits in the
password. Also the system should remember the old passwords for half a year:
To enforce this the file <b>/etc/pam.d/system-auth</b> should look like:<br>
<table border="" class=pre_view><tr><td>
auth required /lib/security/$ISA/pam_env.so<br>
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok<br>
auth required /lib/security/$ISA/pam_deny.so<br>
<br>
account required /lib/security/$ISA/pam_unix.so<br>
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet<br>
account required /lib/security/$ISA/pam_permit.so<br>
<br>
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 <b>minlen=8 dcredit=-1 ucredit=-1 lcredit=-1</b><br>
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow <b>remember=26</b><br>
password required /lib/security/$ISA/pam_deny.so<br>
<br>
session required /lib/security/$ISA/pam_limits.so<br>
session required /lib/security/$ISA/pam_unix.so<br>
</td></tr></table>
Please note that the changes can be undone by an upgrade of the OS. Specially if the upgrade runs <b>autoconfig</b> it will
generate a fresh copy of this file.
</p>
<p>
<a name=LOCK></a><h4>Locking User accounts</h4>
To force account locking after 5 times giving a wrong password add the pam_tally module into the file <b>/etc/pam.d/system-auth</b>:
<table border="" class=pre_view><tr><td>
auth required /lib/security/$ISA/pam_env.so<br>
<b>auth required /lib/security/$ISA/pam_tally.so onerr=succeed no_magic_root</b><br>
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok<br>
auth required /lib/security/$ISA/pam_deny.so<br>
<br>
account required /lib/security/$ISA/pam_unix.so<br>
<b>account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset</b><br>
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet<br>
account required /lib/security/$ISA/pam_permit.so<br>
<br>
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1<br>
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=26<br>
password required /lib/security/$ISA/pam_deny.so<br>
<br>
session required /lib/security/$ISA/pam_limits.so<br>
session required /lib/security/$ISA/pam_unix.so<br>
</td></tr></table>
Note: the <b>onerr=succeed</b> is needed for <b>xscreensaver</b>. If there is no X installed it can be changed into: <b>onerr=fail</b>
</p>
<p>
<a name=ACCESS></a><h4>User access</h4>
With the use of the PAM module pam_access the system can be configured that login access is limited to specified users and
specified machines. This way only the users can login but not the system and application accounts.
The way to accomplish this is described below:
<ul>
<li><b>grep -l pam_access /etc/pam.d/*</b> (to find which services have already pam_access; probably only crond)</li>
<li><b>vi /etc/pam.d/sshd</b>
<table border="" class=pre_view><tr><td>
auth required pam_stack.so service=system-auth<br>
auth required pam_nologin.so<br>
<b>account required pam_access.so</b><br>
account required pam_stack.so service=system-auth<br>
password required pam_stack.so service=system-auth<br>
session required pam_stack.so service=system-auth<br>
session required pam_loginuid.so<br>
</td></tr></table>
</li>
<li><b>vi /etc/pam.d/#</b>
<table border="" class=pre_view><tr><td>
auth required pam_securetty.so<br>
auth required pam_stack.so service=system-auth<br>
auth required pam_nologin.so<br>
<b>account required pam_access.so</b><br>
account required pam_stack.so service=system-auth<br>
password required pam_stack.so service=system-auth<br>
# pam_selinux.so close should be the first session rule<br>
session required pam_selinux.so close<br>
session required pam_stack.so service=system-auth<br>
session required pam_loginuid.so<br>
session optional pam_console.so<br>
# pam_selinux.so open should be the last session rule<br>
session required pam_selinux.so open<br>
</td></tr></table>
</li>
<li><b>vi /etc/pam.d/gdm</b>
<table border="" class=pre_view><tr><td>
auth required pam_env.so<br>
auth required pam_stack.so service=system-auth<br>
auth required pam_nologin.so<br>
<b>account required pam_access.so</b><br>
account required pam_stack.so service=system-auth<br>
password required pam_stack.so service=system-auth<br>
session required pam_stack.so service=system-auth<br>
session required pam_loginuid.so<br>
session optional pam_console.so<br>
</td></tr></table>
</li>
<li><b>touch /etc/security/access-cron.conf</b></li>
<li><b>vi /etc/pam.d/crond</b>
<table border="" class=pre_view><tr><td>
auth sufficient pam_rootok.so<br>
auth required pam_stack.so service=system-auth<br>
auth required pam_env.so<br>
account required pam_stack.so service=system-auth<br>
account required pam_access.so <b>accessfile=/etc/security/access-cron.conf</b><br>
session required pam_limits.so<br>
session required pam_loginuid.so<br>
</td></tr></table>
</li>
<li><b>vi /etc/security/access.conf</b>:<br>
<b>-:ALL EXCEPT users oracle:ALL</b><br>
<b>-:oracle:ALL EXECPT $HOSTNAME REMOVED</b><br>
(in this example all real accounts are member of the group <b>users</b>).
</li>
</ul>
</p>
</body>
</html>