Saturday, 7 June 2014

Password Control

This is part of a series of articles on Red Hat Server Hardening.

Once a user account has been created, the user's access to it can be controlled.

Locking User Accounts

The passwd command can be used to lock and unlock a user's account.
passwd -l username

will lock an account, and
passwd -u username

will unlock it.

Lock Any Accounts With No Password Set

Login as root, and enter the following command
awk -F: '($2 == "") {print $1}' /etc/shadow
This will produce a list of all accounts that have no password set.

Note:- Some systems still store the password in the /etc/passwd file (they shouldn't, but they do!). If this is the case, use /etc/passwd instead of /etc/shadow above.

The lock all empty password accounts:
passwd -l <Account Name>

Change Password Expiration Limits

The chage command displays password expiration details along with last password change date.

To view any existing user’s password ageing information such as expiry date and time, use the following command:
chage -l username

To change password ageing of any user, use the following command.
chage -M 60 -m 7 -W 7 <username>

This sets a maximum age of 60 days, a minimum age of 7 days, and allows the user 7 days warning before the password expires.

Options for chage are as follows:
OptionDescription
-m Minimum number of days a user must go before being able to change their password
-M Maximum number of days a user can go without changing their password
-d The last day the password was changed
-E Specific expiration date for a password, date in format YYYY-MM-DD or MM/DD/YYYY
-I Allowable account inactivity period (in days) after which password will expire
-W Warning period. The number of days before expiration when the user will be sent a warning message
-l Display current expiration controls

Prevent Reuse of Old Passwords

Users should be prevented from reusing old passwords. Old passwords are stored in /etc/security/opasswd. This file must be created before switching on password history, otherwise all user password updates will fail because the pam_unix[1] module will constantly be returning errors from the password history code due to the file being missing.

After creating the file, change the permissions to keep it secure:
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd

Open the /etc/pam.d/system-auth file and add the following line to the auth section:
auth        sufficient    pam_unix.so likeauth nullok

Add the following line to the password section:
password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5

This will prevent a user from re-using any of their last 5 passwords.

Force Users to Set Strong Passwords

A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. The pam_cracklib module, available in the PAM (Pluggable Authentication Modules) module stack, forces users to set strong passwords.

Open the /etc/pam.d/system-auth file and amend or add the entry for pam_cracklib.so:
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

This sets the number of times the password may be entered before it fails to 3. The password must be at least 8 characters long, and contain at least 1 lower case character, 2 upper case characters, 1 digit and one other.

[1] qv PAM Overview