|
||||
Enforce a better user password policy
Intro
This guide is written for sysadmins who wish to exert more influence over the passwords their users are able to choose. There is a FreeBSD (7.0, to be exact) section and a GNU/Linux (CentOS 4.6, to be exact) section. Other operating systems / versions that utilize PAM should be able to take advantage of the same – or very similar – approaches. Be sure to test on your OS / version to confirm it is behaving as you'd expect. This short guide was inspired by some of the thoughtful commentary in the “Hardening FreeBSD” thread, starting from this post. ----------------------------------------- A word on PAM In a nutshell, PAM (pluggable authentication modules) is a series of libraries that provide an API to assist with authentication for services. The general idea is that PAM provides customizable authentication – which is exactly what this guide will take advantage of. An in depth discussion of PAM is well beyond the scope of this guide. I'd recommend a visit to google, wikipedia, and/or the documentation on your system, as you prefer. Note that FreeBSD uses OpenPAM by default, and CentOS uses Linux-PAM by default. The differences between the two are not important for the purposes of this guide. ----------------------------------------- FreeBSD: easy tweaks to enforce better passwords Here we'll take advantage of the powerful pam_passwdqc module. Edit the /etc/pam.d/passwd file, and change this: Code:
#password requisite pam_passwdqc.so enforce=users password required pam_unix.so no_warn try_first_pass nullok Code:
password requisite pam_passwdqc.so enforce=users password required pam_unix.so no_warn try_first_pass nullok That's it. Seriously. Ok, if you want to actually customize pam_passwdqc's behavior there are a few more steps. From the manpages for pam_passwdqc(8): Quote:
Code:
password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users password required pam_unix.so no_warn try_first_pass nullok For much more information on the PAM file layouts and pam_passwdqc in particular, it's important to read the manpages: CentOS: tweaks to enforce better passwords Here we'll take advantage of the powerful, underrated, and rather poorly documented pam_cracklib module. (NB: pam_passwdqc is also available on CentOS, and could be used in a fashion similar to what we used for FreeBSD.) Like some things in the Linux world, this isn't quite as neat and tidy as our FreeBSD solution. No offense intended; this is still very much workable, just a bit of a hack to preserve our settings. Edit the /etc/pam.d/system-auth file (which /etc/pam.d/passwd recurses to), and change this line: Code:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 Code:
password requisite /lib/security/$ISA/pam_cracklib.so minlen=12 lcredit=-2 ucredit=-1 dcredit=-1 ocredit=-2 retry=3 The kernel.org entry on pam_cracklib describes it this way: Quote:
Take the time to read through the pam_cracklib reference cited above. It actually performs a number of intelligent checks before it even reaches the minlength and credit rules, to ensure that users are not providing easily guessable passwords. Now for the hack job. On CentOS, you may want to make your /etc/pam.d/system-auth file system immutable (or perhaps instead modify /etc/pam.d/passwd directly such that it does not recurse). Without doing so you run the risk of having your customization overwritten by programs that write to system-auth. ----------------------------------------- Closing / call for feedback This concludes our brief guide on enforcing better passwords using PAM. This is quite a broad and complex subject, so I'd like to encourage any corrections and related additions (e.g. how to require a password change for new or existing users!).
__________________
Kill your t.v. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Policy routing bsd and cisco | clone | Guides | 1 | 17th August 2009 04:57 PM |
IP Security Policy Management snap-in | wesley | OpenBSD Security | 2 | 11th August 2009 04:34 AM |
A PF packet tagging (policy filtering) question... | Quaxo | OpenBSD Security | 2 | 30th March 2009 10:47 PM |
Set password for Folder | mfaridi | FreeBSD Security | 6 | 5th September 2008 10:49 PM |