6.6. User Passwords Are Too Weak
One thing that annoys me about Linux is how the default configurations allow simple passwords. Yes, there are warning messages against dictionary words or passwords shorter than six characters. But these are just warnings. By default, most Linux distributions allow simple passwords. SUSE even allows blank passwords.
Fortunately, modern versions of Linux have put some barriers in the way of malicious intruders. For instance, passwords are no longer stored in /etc/passwd, which is world-readable. Instead, they are stored in /etc/shadow, which is readable only by the root user. Still, passwords are subject to dictionary attacks and social engineering (such as when a cracker tries a pet name or favorite term used by the victim). In this section, I'll show how to enforce strong passwords.
One way for an administrator to battle weak passwords is to take on the role of a cracker and run a command such as crack on user passwords. If a password is cracked, the user can be warned, his account can be disabled, or the user can be disciplined in some appropriate fashion. (Of course, management often provides the worst offenders.) But this section focuses on techniques to require strong passwords in the first place.
You can use the chage command to make users change their passwords periodically. You can even set chage to lock out users if passwords aren't changed within a certain period of time. For example, with the following command, you can restrict user michael. If he doesn't change his password every week, he will be unable to log in after that time:
chage -M 7 -I 7 michael
This command sets the maximum number of days (-M) for which the password is valid. In this case, user michael is prompted to change his password after seven days. If michael doesn't log in for another seven days, the account is rendered inactive (-I), and michael is locked out.
6.6.1. PAM Password Administration
One way Linux distributions define effective password policies is through Pluggable Authentication Modules (PAM). One example of poor security is provided by the default SUSE configuration, which allows blank passwords with the following commands in /etc/pam.d/login:
password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authok
The first command allows users to enter blank passwords (nullok). The second command supports logins with blank passwords, then checks the first and last time the user logged in for passwords.
Naturally, null passwords are not good when you want a strong password policy. Therefore, if you're running SUSE, I recommend you change the password directives shown to the more secure ones described later in this section.
Linux includes a password strength checker with the cracklib or cracklib2 packages. When combined with PAM and the shadow password suite, this can force your users to choose stronger passwords. All you need is the right PAM module for the passwd command. In Red Hat and SUSE, PAM passwd modules are installed in /etc/pam.d/passwd; in Debian, they refer to /etc/pam.d/common-password.
The key directive in this file is password; the following example from the Debian file checks the password against the cracklib libraries, allows the user to try three times, requires a minimum length of six characters, and allows a group of three characters to be in common between old and new passwords:
password required pam_cracklib.so retry=3 minlen=6 difok=3
Naturally, you can make this more complex. The following directive gives the user credit for two characters toward the minimum length of the password for each digit or uppercase character she includes; it gives the user credit for three characters if she includes a punctuation character such as an "!":
password required pam_cracklib.so retry=3 minlen=10 difok=3 \ dcredit=2 ucredit=2 ocredit=3
In other words, this module command would allow the following passwords:
acprksgtlm acp2rgk3 Acp2rgsm Ap2gr!
By default, when users are required to choose a password, the prompt "New UNIX password" appears. It's a nice enhancement to make the prompt more appropriate for a Linux system by changing "UNIX" to "Linux." Do so by adding the type=Linux option to the password directive just after the pam_cracklib.so entry. For example, the previous command would now be:
password required pam_cracklib.so type=Linux retry=3 minlen=10 difok=3 \ dcredit=2 ucredit=2 ocredit=3
The Red Hat/Fedora version of this file refers to the system-auth PAM configuration file, as shown here:
password required pam_stack.so service=system-auth
When you open /etc/pam.d/system-auth, you can add type=Linux to the following password directive:
password requisite /lib/security/$ISA/pam_cracklib.so type=Linux retry=3
Debian has an excellent guide to this process, which is available online in Chapter 4 of http://www.debian.org/doc/manuals/securing-debian-howto.
6.6.2. PAM Options Related to Strong Passwords
To explore the standards you can enforce using the password directive, let's examine each option in more detail: