Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

User accounts administration

  • 09-08-2006 12:32pm
    #1
    Registered Users, Registered Users 2 Posts: 378 ✭✭


    Hi All,

    I have been presented with the following to make our servers compliant. Any help would be much appreciated. My OS is fedora core 4.

    1. Examine password procedures and observe security personnel to confirm that first-time passwords for new users are set to a unique value per user and changed after first use.

    I can only think of a manual way of making initial passwords unique. To force a change I am using the command chage -d 0 username.

    Does anyone know of a way to ensure that initial passwords are not repeated?

    2. Verify that user password parameters are set to require users to change passwords at least every 90 days

    I am changing 'PASS_MAX_DAYS' in /etc/login.defs to 90, is this sufficient?

    3. Verify that password parameters are set to require passwords to be at least seven characters long

    Change 'PASS_MIN_LENGTH' in /etc/login.defs to 7.

    4. Verify that passwords parameters are set to require passwords to contain both numeric and alphabetic characters

    Ok, I don't have a clue on this one. Is there a configuration for pam_passwdqc that can be changed to enforce this?

    5. Verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords

    Any help at all here would be great!

    Verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts

    I'm not sure how to set this up, I have tried a few things with pam_tally.so and faillog, but it keeps giving me unexpected results.

    Verify that password parameters are set to require that once a user account is locked out, it remains locked for thirty minutes or until a system administrator resets the account.

    I assume this is just faillog -l 1800 to lock for 30 mins...

    I hope someone can help here....

    Cheers,

    Si


Comments

  • Registered Users, Registered Users 2 Posts: 378 ✭✭sicruise


    Ok I have solved some of these issues myself...

    1. Use a local application for generating a random password.

    After creating the user run 'chage -d 0 username'

    2. Run chage username and fill in appropriate details

    3. Add minlen=7 to the pam_cracklib parameters in the password section of /etc/pam.d/system-auth


    5. Add the following argument to pam_unix.so under password in the /etc/pam.d/system-auth file...

    remember=4

    e.g. password sufficient pam_unix.so remember=4

    ref: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

    6. Add the following lines to /etc/pam.d/system-auth

    auth required /lib/security/pam_tally.so no_magic_root deny=6 reset

    account required /lib/security/pam_tally.so no_magic_root deny=6 reset

    Use faillog to administor this.

    7. 'faillog -l 1800'

    The only problem now is that I can still login as a user even if faillog tells me that the account is locked...

    Also point 4 above... I can't figure out how to force users to have at least an alphanumeric password...



  • Registered Users, Registered Users 2 Posts: 16,288 ✭✭✭✭ntlbell


    Something like the below in /etc/pam.d/system-auth should do sort number 4



    password requisite pam_cracklib.so lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1


    Is this your homework?


  • Registered Users, Registered Users 2 Posts: 378 ✭✭sicruise


    Haha no not homework... cheers for the help....

    I managed to figure out a solution for all 7... here it is if anyone is interested...

    1. Examine password procedures and observe security personnel to confirm that first-time passwords for new users are set to a unique value per user and changed after first use.

    Use a local application for generating a random password.

    After creating the user run 'chage -d 0 username'

    2. Verify that user password parameters are set to require users to change passwords at least every 90 days

    'chage -M 90 username'

    3. Verify that password parameters are set to require passwords to be at least seven characters long

    This is forced in point 5.

    4. Verify that passwords parameters are set to require passwords to contain both numeric and alphabetic characters

    Add the following line to /etc/pam.d/system-auth

    password required pam_passwdqc.so min=disabled,disabled,disabled,disabled,7 similar=deny match=4

    5. Verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords


    Add the following argument to pam_unix.so under password in the /etc/pam.d/system-auth file...

    remember=4

    e.g. password sufficient pam_unix.so remember=4 *other parameters*

    ref: http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html

    6. Verify that password parameters are set to require that a user’s account is locked out after not more than six invalid logon attempts

    Add the following lines to /etc/pam.d/system-auth

    auth required pam_tally.so onerr=fail deny=6 unlock_time=1800 no_magic_root

    account required pam_tally.so no_magic_root

    Use faillog to administor this.

    To set the users maximum attempts use

    faillog -m 6 -u user

    To unlock the account

    faillog -r -u user

    or

    pam_tally --user user --reset=0

    During the lock period the user will not be able to access the server through ssh, also the root account cannot be locked out.


    7. Verify that password parameters are set to require that once a user account is locked out, it remains locked for thirty minutes or until a system administrator resets the account.

    'faillog -l 1800'


  • Registered Users, Registered Users 2 Posts: 4,864 ✭✭✭MunsterCycling


    Sticky?


  • Registered Users, Registered Users 2 Posts: 304 ✭✭PhantomBeaker


    Sticky?

    Seconded. It's a very useful post/thread.


  • Advertisement
Advertisement