Adding security into Enterprise Linux system-wide authentication mechanism:
Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.
First witch from md5 to sha512 hashes: it as easy as executing:
Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:
#%PAM-1.0 # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_unix.so nullok try_first_pass auth sufficient pam_tally2.so deny=10 onerr=fail unlock_time=1200 # lock account after 10 failed attempt. unlock automatically after 20 minutes. auth required pam_deny.so account required pam_tally2.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_passwdqc.so min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5 # instead of default pam_cracklib.so switch to more advanced pam_passwdqc.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Brief explanation of pam_passwdqc.so proposed here settings:
min=disabled,disabled,12,8,8 - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 - check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.