User management is one of the important aspect of Linux system administration. Restricting unauthorized access to systems can be prohibited by implementing strong password policies on accounts. Thats why this is mandatory task in system hardening.
In this post we will be seeing below nine different password policies which can be implemented in Linux.
- Password Max days
- Password Min days
- Password warning days
- Password history depth
- Password minimum length
- Minimum upper case characters
- Minimum lower case characters
- Minimum digits in password
- Wrong password retry
In above list first 3 parameters are password ageing related whereas rest decides password strength.
1. Password Max days
This parameters decides how many days maximum a password can be used. Once account password ages for these many days, its mandatory for user to change his/her account password. This forbids users from using same password for long duration. In short this is maximum number of days password is valid on system. This value can be set under file /etc/login.defs against parameter PASS_MAX_DAYS as shown below:
File parameter values affects only newly created accounts after file has been edited. But for existing accounts, you need to change this value manually by using chage command with -M option. You can check current set value by using -l option.
Observe in above example, max days for existing account has been changed from 30 to 45 days using chage command.
2. Password min days
This attributes controls minimum number of days before password can be changed. This forbids users from changing password too frequently. For example if this parameter is set to 7 days & user changed password today. Then he will be able to change it again only after 7 days from now. This value can be set under file /etc/login.defs against parameter PASS_MIN_DAYS as shown below:
File parameter values affects only newly created accounts after file has been edited. But for existing accounts, you need to change this value manually by using chage command with -M option.
3. Password warning days
This attribute controls number of days before password expires, user starts seeing warning about password change after login. This gives sysadmins chance to educate and made aware their system users about password expiry. So that users can change password well before its expiry time. This is not really adding any security to system but helping users to avoid unwanted service impacts due to password expiry. Its value can be defined under /etc/login.defs file against PASS_WARN_AGE parameter.
Same as last two parameters, this file parameter values affects only newly created accounts after file has been edited. But for existing accounts, you need to change this value manually by using chage command with -W option.
4. Password history depth
When user set new password, it will be checked against historical passwords. If user tries to set same old password then system will forbid user to use that password. This password history depth is defined by this attribute. If it is set to 3 then user wont be able to use any password which matches to his last 3 passwords used.
This depth can be set in /etc/pam.d/system-auth file against remember parameter.
In above example last 2 password will be kept in history to check against new one since remember is set to 2.
5. Password minimum length
Minimum characters needed in password is defined by this attribute. This ensures enforcement of strong passwords to be used by users. It can be defined in /etc/pam.d/system-auth file against minlen parameter.
This will be used whenever new password is being set.
6. Minimum upper case characters
Another password strengthening attribute like previous one. This ensures enforcement of use of uppercase characters in password. It can be defined in /etc/pam.d/system-auth file against ucredit parameter.
Example in point 5.
Example in point 5.
7. Minimum lower case characters
This ensures enforcement of use of lowercase characters in password. It can be defined in /etc/pam.d/system-auth file against lcredit parameter.
Example in point 5.
Example in point 5.
8. Minimum digits in password
This ensures enforcement of use of digits in password. It can be defined in /etc/pam.d/system-auth file against dcredit parameter.
Example in point 5.
Example in point 5.
9. Wrong password retry
This is number of tries users get to try password without locking account. As universally accepted, this is always set to be 3. Its value can be defined in retry parameter in /etc/pam.d/system-auth file.
Example in point 5.
Please make a note that all above configurations files are taken into account from RHEL flavor. If you have any question, queries, suggestions, corrections please let us know in comments.
0 comments:
Post a Comment