Formatting code for SecurityPassword
{{parent page="Security"}}
==Simple password generator== {{Randompw}}
Read:
Freeradius http://wiki.freeradius.org/HOWTO
**Sub-topics**
~ [[SecurityNIS NIS]]
~ [[FreeRadius Radius]]
=== PAM ===
PAM (Pluggable Authentication Module) provides authentication services. Here's the /etc/pam.d/login PAM file
%%
#%PAM-1.0
auth required pam_securitytty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
%%
Now let's try to understand it line by line.
Line 1: Check if account is logging in from secure terminal
Line 2: Pass to system-auth's pam setting
Line 3: Check if account's shell is set to nologin
Line 4: Pass to system-auth's pam setting
Line 5: Pass to system-auth's pam setting
Line 6: Pass to system-auth's pam setting
Line 7: Whether to grant additional rights to user
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth. Looking at that file, one will find that PAM will try to authenticate user using shadow password, checking /etc/limits, limit password retry count, etc. Failure to satisfy the rules will result in the execution of pam_deny.so (deny login request) and/or pam_warn.so (logging attempt to syslog).
=== Password policy ===
The following password policy aims to implement a good security level while try not to interfere users' productivity and introduce unnecessary administrative overheads.
It is therefore recommended to implement the following password policy via group policy:
Minimum password length: 8
Password must meet complexity requirements: off (overly complex if enabled)*
Account lockout: 5 tries
Max password age: Changed every 12 months
Keep password history: 5 (Passwords reuse)
Minimum password age: 0 (Password can be changed as frequently as desired)
Automatic login: Prohibited on workstations
* Users should not pick a password of the following categories:
~A dictionary word
~Contains the login id
~Without numbers or non-alphanumeric
===Linux password generator===
%%
apg -M sNCL -x8 -m8 -a0
%%
===Generate shadow password with openssl===
%%
openssl passwd -1 my-very-secret-password
%%
===PAM ubuntu libpam_cracklib.so===
Enforce password complexity on ubuntu linux. Install the cracklib module **aptitude install libpam-cracklib**
%%(text;/etc/pam.d/common-password)
# minlen: minimum password length. 7 is generally good
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
%%
==Simple password generator== {{Randompw}}
Read:
Freeradius http://wiki.freeradius.org/HOWTO
**Sub-topics**
~ [[SecurityNIS NIS]]
~ [[FreeRadius Radius]]
=== PAM ===
PAM (Pluggable Authentication Module) provides authentication services. Here's the /etc/pam.d/login PAM file
%%
#%PAM-1.0
auth required pam_securitytty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
%%
Now let's try to understand it line by line.
Line 1: Check if account is logging in from secure terminal
Line 2: Pass to system-auth's pam setting
Line 3: Check if account's shell is set to nologin
Line 4: Pass to system-auth's pam setting
Line 5: Pass to system-auth's pam setting
Line 6: Pass to system-auth's pam setting
Line 7: Whether to grant additional rights to user
Line 2,4,5,6 indicates that authentication will need to satisfy rules defined in /etc/pam.d/system-auth. Looking at that file, one will find that PAM will try to authenticate user using shadow password, checking /etc/limits, limit password retry count, etc. Failure to satisfy the rules will result in the execution of pam_deny.so (deny login request) and/or pam_warn.so (logging attempt to syslog).
=== Password policy ===
The following password policy aims to implement a good security level while try not to interfere users' productivity and introduce unnecessary administrative overheads.
It is therefore recommended to implement the following password policy via group policy:
Minimum password length: 8
Password must meet complexity requirements: off (overly complex if enabled)*
Account lockout: 5 tries
Max password age: Changed every 12 months
Keep password history: 5 (Passwords reuse)
Minimum password age: 0 (Password can be changed as frequently as desired)
Automatic login: Prohibited on workstations
* Users should not pick a password of the following categories:
~A dictionary word
~Contains the login id
~Without numbers or non-alphanumeric
===Linux password generator===
%%
apg -M sNCL -x8 -m8 -a0
%%
===Generate shadow password with openssl===
%%
openssl passwd -1 my-very-secret-password
%%
===PAM ubuntu libpam_cracklib.so===
Enforce password complexity on ubuntu linux. Install the cracklib module **aptitude install libpam-cracklib**
%%(text;/etc/pam.d/common-password)
# minlen: minimum password length. 7 is generally good
# dcredit: -1 means at least 1 digit
# ocredit: -1 means at least 1 non-alphabetical character
password requisite pam_cracklib.so \
retry=3 minlen=7 dcredit=-1 ocredit=-1
password [success=1 default=ignore] pam_unix.so \
obscure use_authtok try_first_pass sha512
%%
