About Password Policy
Password policy
is a set of rules that must to be satisfied when setting a password.
Password policy is an important factor in computer security, specially
since user passwords are too often the main reason for computer system security breaches.
This is why most companies and organizations incorporate password
policy into the company official regulations. All users and their
passwords must comply to official company password policy.
Password policy usually defines:
- Password Aging
- Password Length
- Password Complexity
- Number of Login Failures
- Re-Used Password Deny
Configuring Password Policy on CentOS 6
Step 1 – Configuring /etc/login.defs
Password
aging controls and password length are defined in /etc/login.defs file.
Password aging refers to the maximum number of days password may be
used, minimum number of days allowed between password changes and more
as seen below and password length refers to the number of characters
that need to be used in password.
To
configure password aging controls and password length edit
/etc/login.defs file and PASS values according to your company policy.
The password aging controls and password length do not affect existing
users – they only affect newly created users! PASS_MAX_DAYS – Maximum
number of days a password may be used. PASS_MIN_DAYS – Minimum number of
days allowed between password changes. PASS_MIN_LEN – Minimum
acceptable password length. PASS_WARN_AGE – Number of days warning given
before a password expires.
Example configuration file /etc/login.defs:
# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. #
# *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail
# Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 90 PASS_MIN_DAYS 2 PASS_MIN_LEN 9 PASS_WARN_AGE 14
...
Step 2 – Configuring /etc/pam.d/system-auth
By
editing /etc/pam.d/system-auth configuration file we can configure the
password complexity and deny a number of re-used passwords. Password
complexity refers to the complexity of the characters used in password
and denying re-used passwords refers to denying the desired number of
passwords the user used in the past. By setting password complexity, we
can force a user to use the desired number of numbers, capital
characters, lower case characters and symbols in his password. If he
does not use the characters we specified the password will not be
accepted by the system.
Force Capital Characters In Passwords – ucredit=-X – where X is the number of capital characters required in password
Force Lower Case Characters In Passwords – lcredit=-X – where X is the number of lower case characters required in password
Force Numbers In Passwords – dcredit=-X – where X is the number numbers required in password
Force The Use Of Symbols In Passwords – ocredit=-X – where X is the number of symbols required in password
password requisite pam_cracklib.so try_first_pass retry=3 type= ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
Example configuration file /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Step 3 – Set The Number Of Login Failures
To
set the number of login failures we must edit /etc/pam.d/password-auth
file. Number of login failures refers to the number of failed logins
user can try before his account is locked out. When the account is
locked out system administrator must unlock this account. To configure
the number of login failures two new lines need to be added to
/etc/pam.d/password-auth file. The parameter “deny=X” (where X is the
number of login failures) configures the number of login failures
permitted before the account is locked.
auth required pam_tally2.so deny=3 account required pam_tally2.so
Example configuration file /etc/pam.d/system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so deny=3 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
No comments:
Post a Comment