RHEL6–38–
IMPLEMENTING PASSWORD POLICY
Securing
system is vital for every Admin and password policy plays a major role in that.
What we will learn in this post, (FOR RHEL-6)
- Minimum password length would be of 8 characters.
- Password expiry duration would be 90 days.
- Password change warning should be flashed to users before 14 days.
- Users must change the password at their first login.
- Password contains at least one number.
- Password contains at least one Upper case alphabet.
- Password contains at least one Lower case alphabet.
- Password contains at least one Special character.
- Lock account after five failed login attempts.
- Auto unlock account after N number of minutes.
- Lock even root user after five failed login attempts
- Auto logout users after 30 minutes of idle/inactive session.
- Enforcing password history up to last three passwords.
Important points to be consider before moving forward,
**NO POLICY WILL MAKE ANY IMPACT ON ROOT
**EVEN AFTER APPLYING ALL POLICIES ROOT CAN SET ANY
PASSWORD
(even “abcd”) FOR ANY USER
(even “abcd”) FOR ANY USER
** DO NOT FORGET TO MAKE A COPY OF FILE/S (whatever)
BEFORE EDITING
1. Minimum password length would be of 8 characters.
2. Password expiry duration would be 90 days.
3. Password change warning should be flashed to users before 14
days.
[root@rhel6-server
~]# cp /etc/login.defs /etc/login.defs.10FEB18
[root@rhel6-server
~]# vi /etc/login.defs
New values are as
follows,
PASS_MAX_DAYS 90 çç
PASS_MIN_DAYS 0 ç 0 is ok for me,
explained below
PASS_MIN_LEN 8 çç (This
value has no meaning b’coz its superseded by pam_cracklib.so)
PASS_WARN_AGE 14 çç
Explanation:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password
changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password
expires.
Minimum
number of days between password change
: 0 ç (means if I set the
passwd today then what is the interval to change the passwd, if I set 2 days
then I can only change passwd after 2 days)
4. Users
must change the password at their first login.
[root@rhel6-server
~]# useradd test1
[root@rhel6-server
~]# passwd test1
Changing password for
user test1.
New password: abcd çç
BAD PASSWORD: it is
too short
BAD PASSWORD: is too
simple
Retype new password: abcd
çç
passwd: all
authentication tokens updated successfully.
Once after setting
password, we need to expire the password to enforce user to change the password
at first login.
[root@rhel6-server
~]# passwd -e test1
Expiring password for
user test1.
passwd: Success
[root@rhel6-server
~]# chage -l test1
Last
password change : password
must be changed
Password
expires
: password must be changed
Password
inactive
: password must be changed
Account
expires
: never
Minimum
number of days between password change
: 0
Maximum
number of days between password change
: 90
Number
of days of warning before password expires
: 14
5. Password contains at least one number.
6. Password contains at least one Upper case alphabet.
7. Password contains at least one Lower case alphabet.
8. Password contains at least one Special character.
[root@rhel6-server ~]# cp
/etc/pam.d/system-auth /etc/pam.d/system-auth-10FEB18
[root@rhel6-server ~]# vi /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3
type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
Highlighted
values are added at end of line
[root@rhel6-server ~]# passwd -e test1
Expiring
password for user test1.
passwd:
Success
A.
C9x2Gd
B.
C9x2Gd!
C.
C9x2Gd!# è Accepted
Explanation:
minlen=8 Minimum password length
lcredit=-1 Minimum
of 1 lowercase
ucredit=-1 Minimum
1 uppercase
dcredit=-1 Minimum
1 decimal character
ocredit=-1 Minimum
1 special character
9. Enforcing password history up to last three passwords.
[root@rhel6-server ~]# vi /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok remember=3
Highlighted
value is added at end of line
Explanation:
remember=3
remembers the last 3 password changes so they can't be repeated.
Does it
work….??
Yes, but
it need supporting file to store the password,
[root@rhel6-server ~]# touch /etc/security/opasswd
[root@rhel6-server ~]# chown root:root /etc/security/opasswd
[root@rhel6-server ~]# chmod 600 /etc/security/opasswd
I
expired password of “test1” three times and after providing three new password
I was unable to repeat any one of them
10.
Lock account after Three
failed login attempts.
[root@rhel6-server ~]# passwd -S test1
test1 PS
2018-02-10 0 90 14 -1 (Password set, SHA512 crypt.)
[root@rhel6-server ~]# chage -l test1
Last password change : Feb 10,
2018
Password expires : May
11, 2018
Password inactive : never
Account expires :
never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 14
[root@rhel6-server ~]# vi /etc/pam.d/system-auth
#%PAM-1.0
#
This file is auto-generated.
#
User changes will be destroyed the next time authconfig is run.
auth required
pam_tally2.so deny=3 çç Insert this
line at same place
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account
required pam_tally2.so çç Insert this
line at same place
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
[root@rhel6-server ~]# cp /etc/pam.d/password-auth
/etc/pam.d/password-auth.10FEB18
[root@rhel6-server ~]# vi /etc/pam.d/password-auth
#%PAM-1.0
#
This file is auto-generated.
#
User changes will be destroyed the next time authconfig is run.
auth
required pam_tally2.so deny=3
çç Insert this
line at same place
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
#auth required pam_tally2.so deny=2
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account
required pam_tally2.so çç Insert this
line at same place
account required
pam_unix.so
account sufficient pam_localuser.so
#account required pam_tally2.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
I tried
login 4 times login by wrong password, and after that no luck even after giving
correct password
Check
the status of user,
[root@rhel6-server ~]# pam_tally2
Login Failures Latest failure From
test1 4 02/11/18 00:26:45 192.168.135.1
it’s locked,
let’s unlock it.
[root@rhel6-server ~]# pam_tally2 --user=test1 -r
Login Failures Latest failure From
test1 4 02/11/18 00:26:45 192.168.135.1
Again
check/confirm the status if there any user still locked,
[root@rhel6-server ~]# pam_tally2
11.
Auto unlock account after
N number of minutes.
12.
Lock even root user after Three
failed login attempts
We can
even set auto unlock as well by,
auth required pam_tally2.so deny=3 unlock_time=300
(at both files)
/etc/pam.d/system-auth & /etc/pam.d/password-auth
the a/c
will auto unlock after 5 minutes
we can
apply the same for root as well by,
auth required pam_tally2.so deny=2 unlock_time=300 even_deny_root (at both files)
/etc/pam.d/system-auth & /etc/pam.d/password-auth
13.Auto logout users after 30 minutes of
idle/inactive session.
[root@rhel6-server ~]# cp /etc/ssh/sshd_config
/etc/ssh/sshd_config.10FEB18
[root@rhel6-server ~]# vi /etc/ssh/sshd_config
ClientAliveInterval 1800
ClientAliveCountMax 0
Find above strings and remove the #, then change the
values accordingly.
[root@rhel6-server ~]# service sshd restart
No comments:
Post a Comment