Posts

Showing posts with the label authentication

Password Aging and Authentication in RHEL7

As I posted in a previous note, the password policy in RHEL 7, and most other linux distributions, is handled by the dynamically-configurable PAM (Pluggable Authentication Modules) system. However, there are a number of other tools implemented in securing the RHEL system. One such tool is the shadow password suite. The shadow suite creates an additional layer of abstraction for the system's login passwords, by removing the account passwords from the /etc/passwd file to a separate file /etc/shadow;while maintaining the unobstructed use of the rest of the accounts system. The Linux Documentation Project explains it: the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.
According t…

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib.
The code was originally based on pam_cracklib module, and the module is backwards compatible with its options.

The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf. The possible options in the file are: difok Number of characters in the new password that must not be present in the old password. (default 5)

minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9)

dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 1)

ucredit T…