PAM AND UNIX PASSWORD POLICIES

Previous page
Table of content
Next page

Some popular Unix systems such as FreeBSD, Linux, and Solaris contain a Pluggable Authentication Module (PAM)differing from ISS's PAM feature. The PAM controls any user interaction that requires a password from the user . This may be telnet access, logging into the console, or changing a password. PAM implementations are also available for stronger authentication schemes such as Kerberos, S/Key, and RADIUS. The configuration of PAM remains the same regardless of the method or application that is performing the authentication. So, let's focus on how to enforce a password policy using the PAM.

Linux Implementation

This cracklib (or libcrack) library is a password-checking library developed by Alec Muffet and is part of the default install for Debian, Mandrake, RedHat, and SuSE distributions. It enables system administrators to establish password composition rules that a user's password must meet before the system accepts a password change. This is a proactive step to prevent a user from ever choosing an insecure password, rather than continuously auditing password files to see if someone has used a poor password. To implement password checking, we need only modify a text file containing the PAM configuration. This will be one of two possible files: 

 /etc/pam.conf

or 

 /etc/pam.d/passwd

The entry in the /etc/pam.conf file that relates to password changes looks similar to this: 

 passwd password required     /lib/security/pam_cracklib.so retry=3 passwd password required     /lib/security/pam_unix.so nullok use_authtok

This file is logically divided into five columns. The first column contains the service namethe name of the program affected by the instructions defined in the remaining columns. The /etc/pam.d/passwd file has only four columns because its name determines the passwd service. This configuration style merely separates each service name into files, rather than using a monolithic file for multiple services. Regardless of the configuration style, a service may have multiple entries. This is referred to as stacking modules for a service. Here's an example of /etc/pam.d/passwd with stacked modules: 

 password required     /lib/security/pam_cracklib.so retry=3 password required     /lib/security/pam_unix.so nullok use_authtok

The first column indicates the module type to which the entry corresponds. It can contain one of four types (we are interested in modifying the module type that controls password changes):

  • account Controls actions based on a user's (that is, an account's) attributes, such as checking user read-access permissions against a file. For example, you could use an account entry to allow access to a resource such as a file share. However, without an auth entry, the user would not be able to log into the system.

  • auth Performs a challenge/response with the user, such as prompting for a password. This is used whenever the system or resource is going to permit the user to log in.

  • password Updates authentication information, such as changing a user's password. This is not used for validating a user to the system. All it does is permit access to the security system that controls the user's credentials.

  • session Handles actions that occur before or after a service, such as auditing failed logins. For example, this could be used to immediately display the time of day after a user logs into the system. The first entry would be for an auth to validate the user's password, then the next entry would be a session that calls a PAM module to display the current time. Another use of the session could be to perform a specific function when the user logs out of the system, such as writing a log entry or expiring a temporary identifier.

The next column determines the control for a service, or how its execution should be handled. Successful execution implies that the service performs a function, such as changing a user's password. Failed execution implies that the service did not receive the correct data, such as the user's password. The following are the control handles:

  • requisite If the service fails, all subsequent actions (stacked services) automatically fail. This means that nothing else in the stack will succeed.

  • required If the service fails, process subsequent actions, but ultimately fail. If there are other actions in the stack, they might succeed but that will not change the outcome.

  • optional If the service succeeds or fails, process subsequent actions. This will not have a bearing on the overall success of the action or anything in its stack.

  • sufficient If the service succeeds and no requisite or required steps have failed, stop processing actions and succeed.

The next column contains the module path of the authentication library to use. The module path should contain the full path name to the authentication library. We will be using cracklib, so make sure that pam_cracklib.so is in this column.

The final column contains arguments to be passed to the authentication library. Returning to the first example of /etc/pam.conf, we see that the pam_cracklib.so module must succeed with the retry=3 argument in order for users to change their passwords with the passwd program: 

 passwd password required           /lib/security/pam_cracklib.so retry=3

Cracklib Arguments

Cracklib actually provides more arguments than the simple retry=N . The retry argument merely instructs passwd how many times to prompt the user for the new password. The success or failure of a service that requires pam_cracklib.so relies on the number of "credits" earned by the user. A user can earn credits based on password content. Module arguments determine the amount of credit earned for the particular composition of a new password.

  • minlen=N Default = 9. The minimum length, synonymous with amount of credit, that must be earned. One credit per unit of length. The actual length of the new password can never be less than 6, even with credit earned for complexity.

  • dcredit=N Default = 1. The maximum credit for including digits (09). One credit per digit.

  • lcredit=N Default = 1. The maximum credit for including lowercase letters . One credit per letter.

  • ucredit=N Default = 1. The maximum credit for including uppercase letters. One credit per letter.

  • ocredit=N Default = 1. The maximum credit for including characters that are not letters or numbers . One credit per letter.

Five other arguments do not directly affect credit:

  • debug Record debugging information based on the system's syslog setting.

  • difok=N Default = 10. The number of new characters that must not be present in the previous password. If at least 50 percent of the characters do not match, this is ignored.

  • retry=N Default = 1. The number of times to prompt the user for a new password if the previous password did not meet the minlen .

  • type=text Text with which to replace the word UNIX in the prompts "New UNIX password" and "Retype UNIX password."

  • use_authtok Used for stacking modules in a service. If this is present, the current module will use the input given to the module above it in the configuration file rather than prompting for the input again. This may be necessary if the cracklib module is not placed at the top of a stack.

Arguments are placed in the last column of the row and are separated by spaces. For example, our administrator wants her users to create 15-character passwords, but the passwords receive up to two extra credits for using digits and up to two extra credits for "other" characters. The /etc/pam.d/passwd file would contain the following (the \ character represents a line continuation in this code): 

 password required /lib/security/pam_cracklib.so \                                  minlen=15 dcredit=2 ocredit=2 password required /lib/security/pam_unix.so nullok use_authtok md5

Notice that the administrator added the md5 argument to the pam_unix.so library. This enables passwords to be encrypted with the MD5 algorithm. Passwords encrypted with the Data Encryption Standard (DES) algorithm, used by default, cannot be longer than eight characters. Even with generous credit limits, it would be difficult to create a 15-credit password using eight characters! Passwords encrypted with the MD5 algorithm are effectively unlimited in length.

Now let's take a look at some valid and invalid passwords checked by the new /etc/pam.d/passwd file and their corresponding credits. Remember, lcredit and ucredit have default values of 1:

password

9 credits (8 length + 1 lowercase letter)

passw0rd!

12 credits (9 length + 1 lowercase letter + 1 digit + 1 other character)

Passw0rd!

13 credits (9 length + 1 uppercase letter + 1 lowercase letter + 1 digit + 1 other character)

Pa$$w00rd

15 credits (9 length + 1 uppercase letter + 1 lowercase letter + 2 digits + 2 other characters)

As you can see, high minlen values can require some pretty complex passwords. Twelve credits is probably the lowest number you will want to allow on your system, with fifteen being the upper threshold. Otherwise, you'll have to write down the password next to your computer in order to remember it! (Hopefully not.)


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
SQL Hacks
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Cisco Voice Gateways and Gatekeepers
Cisco IOS Cookbook (Cookbooks (OReilly))
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy