Thursday, May 2, 2013


Adding security into Enterprise Linux system-wide authentication mechanism:

Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.

First witch from md5 to sha512 hashes: it as easy as executing:

"authconfig--passalgo=sha512 --updateall"

Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:

#vi /etc/pam.d/system-auth
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        sufficient    pam_tally2.so deny=10 onerr=fail unlock_time=1200
# lock account after 10 failed attempt. unlock automatically after 20 minutes.
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    required      pam_passwdqc.so min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5
# instead of default pam_cracklib.so switch to more advanced pam_passwdqc.so 
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


Brief explanation of  pam_passwdqc.so proposed here settings:
min=disabled,disabled,12,8,8  - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase  a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 -  check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to  be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.




No comments:

Post a Comment