Sunday, 9 September 2012

IT password policies

Objective: Implementation of IT password policies.

Environment: Redhat Linux 5.0 32-bit.

Descriptions:

Being working in IT industry for a quite a long time, I always thought of implementing the password policies which are applied at the active directory(Windows Server) in Linux Enterprise/Workstation.

Browsing in Internet, some of the best policies were found as below, and was configured successfully in Linux.

1. Min length 8 Char - ( 5 Uppercase or 5 Lowercase or both; 2 Numeric; 1 special char; No dictionary words )
2. Password history - requires a unique password of 5 char that are different than found in old password.
3. Max password age - 60 days.
4. Minimum days for password change - 30 days
5. Warning before password expiry - 15 days.
6. Account lockout threshold - 3 times.
7. Account lockout duration - 30 mins.

In order to understand the above, I would suggest you to know the below pre-requisites:

1. PAM (Pluggable Authentication Modules).
2. Shadow password suite.
3. User administration.

Summary:

1. By default, the minimum length of the password is 5. It could be over written by the PAM module which includes combination of upper, lower, digits, special characters.

2. Password history is set by difork parameter.

All entries for PAM must be in configuration file "/etc/pam.d/system-auth"

password  required pam_cracklib.so dcredit=-2 ucredit=-3 ocredit=-1 lcredit=-2 minlen=8 difok=5

pam_cracklib: checks the password against dictionary words. 
dcredit= Maximum credit for having digits in the new password.
ucredit= Maximum credit for having upper case letters in new password.
lcredit=  Maximum credit for having lower case letters in new password.
ocredit= Maximum credit for having other characters in the new password.
difork = 5 new characters should not be present in the old password, however 1/2 of the characters in the new password are different from old password, then new password is accepted.

3. Max password age & warning & minimum days for password changes will be found in "/etc/login.defs".
/etc/login.defs: file defines the site-specific configuration for the shadow password suite.

PASS_MAX_DAYS 60
PASS_MIN_DAYS   30
PASS_MIN_LEN    8
PASS_WARN_AGE   15

4. After 3 attempts for a wrong password, the account must be locked.
pam_unix: This is UNIX standard authentication module, it uses standard system calls from system libraries to retrieve account information (/etc/passwd & /etc/shadow) as well as authentication.

auth sufficient  pam_unix.so nullok try_first_pass remember=3

Q. How will the system know about your old password's ?
Solution:
Once your remember option are enabled, all your password's are logged into "/etc/security/opasswd", for any change in password attempt would refer this file and modules of pam_cracklib are loaded to check password's against your password requirements.

5. In a bigger organisation if accounts are locked out, you don't need to log a case for a password reset. Hence an mechanism of "auto-unlock" feature can be enabled on your accounts. 
pam_tally.so: Login counter module.

auth required pam_tally.so onerr=fail deny=3 unlock_time=1800

Q. How will system know how many attempts were done ?
Solution:
This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.

After three attempts your account is locked out, however unlock_time=1800 which means your account will be automatically unlocked after 30 mins.

Q. How will an UNIX administrator come to know about the attempts?
Solution:  

1. Account was locked due to bad password attempts, you could see the count was incremented by 3 
     [root@server ~]# faillog -u sunil
     Login       Failures Maximum                 Latest   On
     sunil          3        0   09/09/12 08:38:44 +0530  192.168.56.

2. Reset your account failures immediately,
     [root@server ~]# faillog -r sunil  
     
3. Verify user's account.
     [root@server ~]# faillog -u sunil
     Login       Failures Maximum Latest   On
     sunil           0      0   09/09/12 08:39:46 +0530  192.168.56.

 As most of them would be aware of the password policies, however I wanted to list the password requirement to all the users who are about to change their password's.

So when you are changing the passwords, pam_echo module loads and it will prompt you below requiremets.
password    required      pam_echo.so file=<path of the file>

Path to file contains the below:

Hi Users,
                   Know your password & account policies:

 *       Minimum length 8 Character consisting of uppercase, lowercase, digits, special characters.
 *       Do not repeat the old password.
 *       Maximum duration of password is 60 days.
 *       Minimum days need to change password is 30 days.
 *       Warning before password expiry is 15 days.
 *       Three bad password attempts would lock you account.
 *       Account will be un-locked after 30 minutes        














In order to help with the above you could follow "genpasswd()" which can help you with password assisting.
Below is the code.

Note:
Password can be generated in a random fashion with above all requirements.

  1. Open your .bashrc and paste the below code & source it.
  genpasswd() {
            local l=$1
            [ "$l" == "" ] && l=16
            tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

[root@server ~]# genpasswd 8
e0iqswVI

References:



3. The best documentation could be your man page. Please refer /usr/share/doc/pam-0.99.6.2/txts

Objective successful