Once a user account has been created, the user's access to it can be controlled.
Locking User Accounts
The passwd command can be used to lock and unlock a user's account.
will lock an account, and
will unlock it.
passwd -l username
will lock an account, and
passwd -u username
will unlock it.
Lock Any Accounts With No Password Set
Login as root, and enter the following commandawk -F: '($2 == "") {print $1}' /etc/shadow
This will produce a list of all accounts that have no password set.
Note:- Some systems still store the password in the /etc/passwd file (they shouldn't, but they do!). If this is the case, use /etc/passwd instead of /etc/shadow above.
The lock all empty password accounts:
passwd -l <Account Name>
Change Password Expiration Limits
The chage command displays password expiration details along with last password change date.To view any existing user’s password ageing information such as expiry date and time, use the following command:
chage -l username
To change password ageing of any user, use the following command.
chage -M 60 -m 7 -W 7 <username>
This sets a maximum age of 60 days, a minimum age of 7 days, and allows the user 7 days warning before the password expires.
Options for chage are as follows:
| Option | Description |
|---|---|
| -m | Minimum number of days a user must go before being able to change their password |
| -M | Maximum number of days a user can go without changing their password |
| -d | The last day the password was changed |
| -E | Specific expiration date for a password, date in format YYYY-MM-DD or MM/DD/YYYY |
| -I | Allowable account inactivity period (in days) after which password will expire |
| -W | Warning period. The number of days before expiration when the user will be sent a warning message |
| -l | Display current expiration controls |
Prevent Reuse of Old Passwords
Users should be prevented from reusing old passwords. Old passwords are stored in /etc/security/opasswd. This file must be created before switching on password history, otherwise all user password updates will fail because the pam_unix[1] module will constantly be returning errors from the password history code due to the file being missing.After creating the file, change the permissions to keep it secure:
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
Open the /etc/pam.d/system-auth file and add the following line to the auth section:
auth sufficient pam_unix.so likeauth nullok
Add the following line to the password section:
password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5
This will prevent a user from re-using any of their last 5 passwords.
Force Users to Set Strong Passwords
A number of users use soft or weak passwords and their password might be hacked with a dictionary based or brute-force attacks. The pam_cracklib module, available in the PAM (Pluggable Authentication Modules) module stack, forces users to set strong passwords.Open the /etc/pam.d/system-auth file and amend or add the entry for pam_cracklib.so:
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
This sets the number of times the password may be entered before it fails to 3. The password must be at least 8 characters long, and contain at least 1 lower case character, 2 upper case characters, 1 digit and one other.
[1] qv PAM Overview ↩
No comments :
Post a Comment