Thursday, May 2, 2013

Adding security into Enterprise Linux system-wide authentication mechanism:

Some small modification to default authentication mechanism at RedHat 5/6 based system will increase system security.

First witch from md5 to sha512 hashes: it as easy as executing:

"authconfig--passalgo=sha512 --updateall"

Update your /etc/pam.d/system-auth to the more adequate to the current threats settings:

#vi /etc/pam.d/system-auth
# User changes will be destroyed the next time authconfig is run.

auth        required
auth        required nullok try_first_pass
auth        sufficient deny=10 onerr=fail unlock_time=1200
# lock account after 10 failed attempt. unlock automatically after 20 minutes.
auth        required

account     required
account     required
account     sufficient uid < 500 quiet
account     required

password    required min=disabled,disabled,12,8,8 max=32 passphrase=2 match=4 similar=deny random=32 enforce=everyone retry=5
# instead of default switch to more advanced 
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

Brief explanation of proposed here settings:
min=disabled,disabled,12,8,8  - disallows any length passwords from any single character class, disallows any length passwords from any two character classes, a minimum length of 12 characters for a passphrase  a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes.the module will ask for a new password if the user fails to provide a sufficiently strong password
max=32 - maximum allowed password length is 32 characters.
passphrase=2 - passphrase must consist of 2 words.
match=4 -  check if 4 character substring in password will match dictionary worlds. In this case password complexity requirements will be checked against password with this substring removed.
similar=deny - deny new password to  be similar to the old one
random=32 - randomly-generated passphrases will be 32 bit (IMHO byte) long
enforce=everyone - enforce complex passwords
retry=5 - the module will ask 5 times for a new password if the user fails to provide a sufficiently strong password.

No comments:

Post a Comment