View Homework Help - Unit 6 from IS ISS at ITT Tech Flint. What are the available Password Policy options that could be enforced to improve security in a Group Policy Object? Passwords should. CCNA 1 v5.1 v6.0 Chapter 6 PT Practice Skills Assessment 2017 2018 2019 Packet Tracer Exam Answers full type A, Type B, Type C - Introduction to Networks (v5.1). Password 1: Grade 1 Book Chapter 1- Computer This video is about the basics of computer.
Hal Pomeranz, [email protected]
Many years ago I wrote an article on'Strong PasswordEnforcement with pam_cracklib'. Since that time, there have been some changes in Linux:
- Thorsten Kukuk ([email protected]) developed the pam_pwhistorymodule to replace the password history functionality implemented in pam_unix.
- RedHat created pam_pwquality which expands on the functionality in the old pam_cracklib module.
- There is a new pam_tally2 module for doing accountlockout on failure.
So while the advice in my previous article is still valid for manyLinux distributions, I wanted to develop new guidance based on thecurrent set of available password enforcement modules. Testing for thisarticle was done on a CentOS 7.1 system.
Basic PAM Configuration
On RedHat-based systems, password checks are enabled via configurationin the /etc/pam.d/system-auth and /etc/pam.d/password-authfiles. Actually, these files are just symbolic links to /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac,respectively.
The default configuration looks like this:
The try_first_pass option tells a later module to try using thepassword entered for a previous module. In the configuration above,pam_pwquality will require the user to enter a strong passwordchoice, and the try_first_pass option on pam_unixmodule tells pam_unix to try this choice. Similarly,use_authtok tells pam_unix to use the password fromthe stacked pam_pwquality module.
Frankly, the try_first_pass option is redundant with theuse_authtok option on pam_unix. And try_first_pass isn't necessary for pam_pwqualitysince there are no modules stacked in front of it.
Other default options set on pam_pwquality above includelocal_users_only, which tells pam_pwquality to ignoreusers that are not in the local /etc/passwd file (for example,users whose accounts are in an LDAP or Active Directory database).The retry option is the number of tries a user gets to pickan acceptable password before the module returns an error.
By default, the prompt the user gets when entering their passwordis 'New password:'. If the administrator sets authtok_type=FOO, the prompt becomes 'New FOO password:'.
For pam_unix, the sha512 option means use a passwordhashing routine based on the SHA512 algorithm. blowfish is alsosupported along with several other, less secure, choices. Theshadow option means maintain password hashes in a separate/etc/shadow file that is only readable by the root user.This option should always be set. nullok means allow useraccounts that have null password entries. Personally, I would recommendremoving this option.
Taking all of this advice together, a better default configurationfor these modules would be:
Standard Checks
pam_pwquality performs a number of basic checks, just like theold pam_cracklib module:
- Is the new password just the old password with the letters reversed ('password' vs. 'drowssap') or rotated ('password' vs. 'asswordp')?
- Does the new password only differ from the old one due to change of case ('password' vs. 'Password')?
- Are at least some minimum number of characters in the new password not present in the old password? The difok parameter is used to set the minimum number of differences (default is difok=5).
However, pam_pwquality adds several other checks that canbe enabled at the administrator's discretion (none of these checks areenabled by default):
- gecoscheck
- Do not allow any of the words in the user's 'full name' (GECOS)field from /etc/passwd to be used in their password choice.
- maxrepeat=N
- Reject passwords that have more than N of the same characters in a row ('aaaaaa').
- maxsequence=N
- Reject passwords if there are more than N upper-case, lower-case,or number characters in a row. In other words,try to stop passwords like 'QWERTY' or '12345'.
- maxclassrepeat=N
- Like maxsequence above except that runs of punctuationcharacters ('!@#$%') are also rejected. I recommend ignoring maxsequence and just using maxclassrepeat.
Length and Strength
pam_pwquality uses a 'scoring' system that combinespassword length requirements with a 'credit' system based on the numberof different types of characters used. This is identical to the oldpam_cracklib module.
You start with the minlen=N parameter which sets the minimum acceptable length for a password. However, the user getsone 'credit' each for using a lower-case letter, an upper-case letter,a number, and a punctuation character. So if minlen=15,the user could still use an 11 character password if it containedall four character classes.
It is important to note that even a monocase password gives theuser one 'length credit'. So if you set minlen=15 you arereally saying that you allow 14 character monocase passwords.
While users normally get a maximum of one credit per type ofcharacter, you can use the lcredit, ucredit, dcredit, and ocredit parameters to create adifferent scheme:
In the above example, no credits are given for lower-case letters (lcredit=0). Upper-case letters (ucredit=1) anddigits (dcredit=1) can give up to one credit, which is the default.Users may receive credits for up to two punctuation characters(ocredit=2) if they are included in the password. Since minlen=19, the user must still come up with at least a15 character password, even if they get all possible credits.
If you want to require users to use certain character classes,use negative values:
The above example requires a 15 character password with at least onedigit and one punctuation-type character. Note that requiring the passwordto contain certain character types actually makes life easier for somebodywho is trying to brute-force your user passwords, since they can skiptesting strings that don't match your requirements.
pam_pwquality also supports a minclass=N parameterthat requires characters from at least N of the four different characterclasses. This is probably a better way to go than specifically requiringa specific type of character.
On RedHat systems, all of the parameters we've been discussing inthe last two sections can be set in /etc/security/pwquality.conf.This is probably easier than hacking the parameters into long linesin the PAM configuration files.
Dictionary Checks
On RedHat systems, passwords are checked against a dictionary stored in /usr/share/cracklib/pw_dict.*. The files arein a database format that can be built using the create-cracklib-dict program. Imazing 1 5 6. Use the cracklib-unpackerprogram to see the contents of the current system dictionary.
Debian systems typically place their dictionaries in/var/cache/cracklib. There's a nightly cron job thatruns update-cracklib to rebuild the dictionary.
Password History
The password history checking code in pam_cracklib andpam_unix is being deprecated in favor of the newpam_pwhistory module. However, if you're familiar with theold way of doing things, you'll find that the paramaters used bypam_pwhistory are the same.
![Password 1 unit 6 day 4 practice worksheets Password 1 unit 6 day 4 practice worksheets](https://images.slideplayer.com/30/9509215/slides/slide_1.jpg)
Here's a typical configuration stacking pam_pwhistoryin with pam_pwquality and pam_unix:
The remember=N parameter says how many old passwords toremember for each user. The default is 10, and 400 is an internalhard-coded maximum. Even if you were to force users to change passwordsmonthly, that still gives you more than 30 years of password history.So remember=400 is effectively infinite.
The old password hashes for users are stored in /etc/security/opasswd.
Password Expiration
Password expiration is still controlled by pam_unix.You get to control:
- PASS_MAX_DAYS
- The number of days a password may be used before change is forced.
- PASS_WARN_AGE
- How many days before the password expires do you start warning theuser of the upcoming change?
- PASS_MIN_DAYS
- How many days must the user wait before being allowed to change theirpassword again?
- INACTIVE
- How many days after the account is expired before the account islocked for inactivity? Set this to -1 to prevent lockouts.
You can set defaults for the first three parameters in /etc/login.defs. The default setting for INACTIVE isfound in /etc/default/useradd. Note that these defaultsare only used if you use the built-in useradd command tomake user accounts.
You can manually set these parameters on a user's account usingthe chage command. You can view the settings for a userby inspecting their /etc/shadow entry (see 'man 5 shadow'for which field is which).
Lockout on Failure
Password 1 Unit 6 Exponents
Constant brute-force password guessing attacks have made 'lockout on failure' functionality a necessary evil. On modernLinux systems, this is handled by the pam_tally2 module.
For Redhat systems, add a line like this at the top of /etc/pam.d/system-auth-ac and password-auth-ac:
Accounts will be locked after three failures (deny=3) butautomatically unlocked after 30 minutes (unlock_time=1800uses seconds as the unit). If the unlock_time parameteris left off, then accounts stay locked until the administratormanually intervenes.
even_deny_root says to apply lockouton failure to the root account as well-- this is not the default.You can set a special timeout for the root account with theroot_unlock_time=N parameter if you like.Generally speaking, you should not be allowing direct root loginsto your system ('PermitRootLogin no' in your sshd_configfile), so locking out the root account shouldn't be a factor.
Login failure and user lockout records are stored in /var/log/tallylog by default. You can change this with thefile= option.
There is also a command-line program called pam_tally2.This is how admins query and unlock user accounts that have beenlocked out due to failures.
Putting It All Together
Here's a sample password-auth-ac file with a reasonabledefault configuration:
Don't forget system-auth-ac:
Password 1 Unit 6 Test
auth required pam_tally2.so deny=3 unlock_time=1800 even_deny_rootauth required pam_env.soauth sufficient pam_fprintd.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 1000 quiet_successauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 1000 quietaccount required pam_permit.sopassword requisite pam_pwquality.so local_users_only retry=3 minlen=19 gecoscheck maxrepeat=3password required pam_pwhistory.so remember=400 use_authtokpassword sufficient pam_unix.so sha512 shadow use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.so-session optional pam_systemd.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so