Linux password security

From Levy

Introduction

This artile briefly describes ways to enforce Linux password security.

Password expiry

Expiry defaults

We can manage the password expiry by editing /etc/login.defs. The settings below are relevant:

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

These values set the following expiration options:

  • PASS_MAX_DAYS: Maximum number of days a password may be used.
  • PASS_MIN_DAYS: Minimum number of days allowed between password changes.
  • PASS_MIN_LEN: Minimum acceptable password length.
  • PASS_WARN_AGE: Number of days warning given before a password expires.

Force password change on next logon

To force a user to change the password on next logon run the following command:

passwd --expire <username>

Check password settings for a user

Next we check the password expiration for the user:

# chage -l <username>
Last password change                                    : password must be changed
Password expires                                        : password must be changed
Password inactive                                       : password must be changed
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Password complexity options

The password complexity is configured using PAM. The settings can be changed in /etc/pam.d/common-password. for Debian based systems and in /etc/pam.d/system-auth for RedHat based systems. On SuSE based systems you need to use pam-config in order to change the values. If you edit the configuration files directly changes will automatically be reverted back by the configuration tool

Deny password re-use

To avoid the user can re-use the same password over and over again Linux can keep track of the password history and specify the number of "old" passwords that cannot be reused. In the example below it's set to 5.

SuSE

pam-config -a --pwhistory-remember=5

Debian

vi /etc/pam.d/common-password
password        requisite       pam_cracklib.so remember=5

Password minimum length

Longer passwords are safer. So it's a good idea to set a minimum lenght for the passwords users can choose. In the example below we set it to a minimum of 15 characters. SuSE

pam-config -a --cracklib --cracklib-minlen=15

Debian

vi /etc/pam.d/common-password
password        requisite       pam_cracklib.so minlen=15

Minimum number of upper- and lowercase characters

Making a password more complex is a good idea to keep hackers at bay. So we can force the users to choose passwords that at least concist of 1 upper- and 1 lowercase character (or more if desired): SuSE

pam-config -a --cracklib --cracklib-lcredit=-1 --cracklib-ucredit=-1

Debian

vi /etc/pam.d/common-password
password        requisite       pam_cracklib.so ucredit=-1 lcredit=-1