Section 6.6. User Passwords Are Too Weak


6.6. User Passwords Are Too Weak

One thing that annoys me about Linux is how the default configurations allow simple passwords. Yes, there are warning messages against dictionary words or passwords shorter than six characters. But these are just warnings. By default, most Linux distributions allow simple passwords. SUSE even allows blank passwords.

Fortunately, modern versions of Linux have put some barriers in the way of malicious intruders. For instance, passwords are no longer stored in /etc/passwd, which is world-readable. Instead, they are stored in /etc/shadow, which is readable only by the root user. Still, passwords are subject to dictionary attacks and social engineering (such as when a cracker tries a pet name or favorite term used by the victim). In this section, I'll show how to enforce strong passwords.

One way for an administrator to battle weak passwords is to take on the role of a cracker and run a command such as crack on user passwords. If a password is cracked, the user can be warned, his account can be disabled, or the user can be disciplined in some appropriate fashion. (Of course, management often provides the worst offenders.) But this section focuses on techniques to require strong passwords in the first place.

Keep in mind that the rules we set to protect the security of our passwords probably annoy most users. If the rules are too difficult, users may post their current passwords in the open, next to their workstations.


You can use the chage command to make users change their passwords periodically. You can even set chage to lock out users if passwords aren't changed within a certain period of time. For example, with the following command, you can restrict user michael. If he doesn't change his password every week, he will be unable to log in after that time:

 chage -M 7 -I 7 michael 

This command sets the maximum number of days (-M) for which the password is valid. In this case, user michael is prompted to change his password after seven days. If michael doesn't log in for another seven days, the account is rendered inactive (-I), and michael is locked out.

6.6.1. PAM Password Administration

One way Linux distributions define effective password policies is through Pluggable Authentication Modules (PAM). One example of poor security is provided by the default SUSE configuration, which allows blank passwords with the following commands in /etc/pam.d/login:

 password  required   pam_pwcheck.so  nullok password  required   pam_unix2.so    nullok use_first_pass use_authok 

The first command allows users to enter blank passwords (nullok). The second command supports logins with blank passwords, then checks the first and last time the user logged in for passwords.

Naturally, null passwords are not good when you want a strong password policy. Therefore, if you're running SUSE, I recommend you change the password directives shown to the more secure ones described later in this section.

Linux includes a password strength checker with the cracklib or cracklib2 packages. When combined with PAM and the shadow password suite, this can force your users to choose stronger passwords. All you need is the right PAM module for the passwd command. In Red Hat and SUSE, PAM passwd modules are installed in /etc/pam.d/passwd; in Debian, they refer to /etc/pam.d/common-password.

The key directive in this file is password; the following example from the Debian file checks the password against the cracklib libraries, allows the user to try three times, requires a minimum length of six characters, and allows a group of three characters to be in common between old and new passwords:

 password required pam_cracklib.so retry=3 minlen=6 difok=3 

Naturally, you can make this more complex. The following directive gives the user credit for two characters toward the minimum length of the password for each digit or uppercase character she includes; it gives the user credit for three characters if she includes a punctuation character such as an "!":

 password required pam_cracklib.so retry=3 minlen=10 difok=3 \    dcredit=2 ucredit=2 ocredit=3 

In other words, this module command would allow the following passwords:

 acprksgtlm acp2rgk3 Acp2rgsm Ap2gr! 

By default, when users are required to choose a password, the prompt "New UNIX password" appears. It's a nice enhancement to make the prompt more appropriate for a Linux system by changing "UNIX" to "Linux." Do so by adding the type=Linux option to the password directive just after the pam_cracklib.so entry. For example, the previous command would now be:

 password required pam_cracklib.so type=Linux retry=3 minlen=10 difok=3 \    dcredit=2 ucredit=2 ocredit=3 

The Red Hat/Fedora version of this file refers to the system-auth PAM configuration file, as shown here:

 password   required    pam_stack.so service=system-auth 

When you open /etc/pam.d/system-auth, you can add type=Linux to the following password directive:

 password requisite /lib/security/$ISA/pam_cracklib.so type=Linux retry=3 

Debian has an excellent guide to this process, which is available online in Chapter 4 of http://www.debian.org/doc/manuals/securing-debian-howto.

6.6.2. PAM Options Related to Strong Passwords

To explore the standards you can enforce using the password directive, let's examine each option in more detail:


debug

Adds information to the kernel's logfile, which may be /var/log/messages or /var/log/auth.log.


type= xxx

Configures a new password prompt. The default prompt is "New UNIX password:". I use type=Linux, which creates a "New Linux password:" prompt.


retry= n

Prompts the user n times before returning an error.


difok= n

Defines the degree of similarity between old and new passwords, defined by a group of characters they hold in common; if difok=3, you're allowed to use three of the same characters between passwords.


difignore= n

If the password is at least n characters, the PAM module ignores the difok variable.


minlen= n

Defines the minimum number of characters in the password. This minimum, however, is affected by the dcredit, ucredit, lcredit, and ocredit variables.


dcredit= n

Defines the weight of digits in a password. For example, if dcredit=2, a number in a password gets credit for two characters against the minlen variable.


ucredit= n

Defines the weight of uppercase characters in a password. For example, if ucredit=2, a capital letter in a password gets credit for two characters against the minlen variable.


lcredit= n

Defines the weight of lowercase in a password. For example, if lcredit=2, a lowercase letter gets credit for two characters against the minlen variable.


ocredit= n

Defines the weight of other characters (basically punctuation) in a password. For example, if ocredit=3, a character other than a letter or number gets credit for three characters against the minlen variable.



Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net