Search This Blog

Wednesday, June 15, 2011

Password Hardening in linux

It is very important to implement strong password policies in the linux server.

Every prevention from attack is in vain if we loose out root password.
passwords for other users(non root) are also considered to be equally important considering data theft.

So lets implement it.
System administrator must ensure that the password composition meets following basic requirements.
1) Length of 8 Characters.
2)Atleast one uppercase character or digit or special character.

Lets first observe system behavior before implementing password policies.
Added new user rohan with password oracle.
(oracle is not a strong password hence it has given me a warning message but it changed the password to oracle)

# useradd rohan
# passwd rohan
Changing password for user rohan.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Modify /etc/pam.d/system-auth file.

Replace this line.

password requisite pam_cracklib.so try_first_pass retry=3

With this.

password requisite pam_cracklib.so retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=0

Above line will make sure that minimum length of password will be 8.

A password must contain atleast one lowercase character.

A password must contain atleast one uppercase character.

A password must contain atleast one decimal character.

A password must contain atleast one special(other) character.

A prompt (incase previous is failed) will not be more than 3 times.

The four parameters "lcredit", "ucredit", "dcredit", and "ocredit" are used to set the maximum credit for lower-case, upper-case, numeric (digit), and non-alphanumeric (other) characters respectively.

Now try to login into machine with user rohan and try to change the password.
The password matching above criteria will only be accepted otherwise you will receive following error.
passwd: Authentication token manipulation error

You may find following article useful for further study.

http://www.linuxquestions.org/questions/linux-newbie-8/how-to-implement-password-policies-846413/

http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html



Please Leave us with your comments and Queries/Suggestions.
I will try to reply asap.

No comments:

Post a Comment