Simple password generator
649%p7^m:x]za[!e%
Read:
Freeradius http://wiki.freeradius.org/HOWTO
Sub-topics
PAM
PAM (Pluggable Authentication Module) provides authentication services. Here's the /etc/pam.d/login PAM file#%PAM-1.0 auth required pam_securitytty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so
Now let's try to understand it line by line.
Line 1: Check if account is logging in from secure terminal
Line 2: Pass to system-auth's pam setting
Line 3: Check if account's shell is set to nologin
Line 4: Pass to system-auth's pam setting
Line 5: Pass to system-auth's pam setting
Line 6: Pass to system-auth's pam setting
Line 7: Whether to grant additional rights to user
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth. Looking at that file, one will find that PAM will try to authenticate user using shadow password, checking /etc/limits, limit password retry count, etc. Failure to satisfy the rules will result in the execution of pam_deny.so (deny login request) and/or pam_warn.so (logging attempt to syslog).
Password policy
The following password policy aims to implement a good security level while try not to interfere users' productivity and introduce unnecessary administrative overheads.It is therefore recommended to implement the following password policy via group policy:
Minimum password length: 8
Password must meet complexity requirements: off (overly complex if enabled)*
Account lockout: 5 tries
Max password age: Changed every 12 months
Keep password history: 5 (Passwords reuse)
Minimum password age: 0 (Password can be changed as frequently as desired)
Automatic login: Prohibited on workstations
* Users should not pick a password of the following categories:
A dictionary word
Contains the login id
Without numbers or non-alphanumeric
Contains the login id
Without numbers or non-alphanumeric
Linux password generator
apg -M sNCL -x8 -m8 -a0
Generate shadow password with openssl
openssl passwd -1 my-very-secret-password
PAM ubuntu libpam_cracklib.so
Enforce password complexity on ubuntu linux. Install the cracklib module aptitude install libpam-cracklib/etc/pam.d/common-password
# minlen: minimum password length. 7 is generally good
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
There are no comments on this page. [Add comment]