Password Aging and Authentication in RHEL7

As I posted in a previous note, the password policy in RHEL 7, and most other linux distributions, is handled by the dynamically-configurable PAM (Pluggable Authentication Modules) system. However, there are a number of other tools implemented in securing the RHEL system. One such tool is the shadow password suite. The shadow suite creates an additional layer of abstraction for the system's login passwords, by removing the account passwords from the /etc/passwd file to a separate file /etc/shadow;while maintaining the unobstructed use of the rest of the accounts system. The Linux Documentation Project explains it:
the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

According to the Red Hat Documentation, "In Red Hat Enterprise Linux 7, shadow passwords are enabled by default."
The /etc/login.defs file defines the site-specific configuration for the shadow password suite. This file is required; absence of it will not prevent system operation, but will probably result in undesirable operation. Each line in the file describes one configuration parameter.
$ cat /etc/login.defs

# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR      Maildir
MAIL_DIR        /var/spool/mail
#MAIL_FILE      .mail

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD    /usr/sbin/userdel_local

#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME     yes

# The permission mask is initialized to this value. If not specified, 
# the permission mask will be initialized to 022.
UMASK           077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
As usual, the login.defs man-page provides more information on this file along with all of its available configuration options.

RHEL7 provides a commandline program, chage, as an alternative to manually editing the /etc/login.defs file. The shadow-utils package provides this as well as a number of other useful programs: 
$ rpmquery -l shadow-utils

/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/lastlog
/usr/bin/newgrp
/usr/bin/sg
/usr/sbin/adduser
/usr/sbin/chpasswd
/usr/sbin/groupadd
/usr/sbin/groupdel
/usr/sbin/groupmems
/usr/sbin/groupmod
/usr/sbin/grpck
/usr/sbin/grpconv
/usr/sbin/grpunconv
/usr/sbin/newusers
/usr/sbin/pwck
/usr/sbin/pwconv
/usr/sbin/pwunconv
/usr/sbin/useradd
/usr/sbin/userdel
/usr/sbin/usermod
/usr/sbin/vigr
/usr/sbin/vipw

DESCRIPTION
       The chage command changes the number of days between password changes
and the date of the last password change. This information is used by the
system to determine when a user must change his/her password.

OPTIONS
       The options which apply to the chage command are:

       -d, --lastday LAST_DAY
           Set the number of days since January 1st, 1970 when the password
was last changed. The date may also be expressed in the format
YYYY-MM-DD (or the format more commonly used in your area).
If the LAST_DAY is set to 0 the user is forced to change his password on the
next log on.

       -E, --expiredate EXPIRE_DATE
           Set the date or number of days since January 1, 1970 on which the
user's account will no longer be accessible. The date may also be expressed
in the format YYYY-MM-DD (or the format more commonly used in your area).
A user whose account is locked must contact the system administrator before
being able to use the system again.

Passing the number -1 as the EXPIRE_DATE will remove an account expiration date.

       -h, --help
           Display help message and exit.

       -I, --inactive INACTIVE
           Set the number of days of inactivity after a password has expired 
before the account is locked. The INACTIVE option is the number of days of 
inactivity. A user whose account is locked must contact the system administrator
before being able to use the system again.

Passing the number -1 as the INACTIVE will remove an account's inactivity.

       -l, --list
           Show account aging information.

       -m, --mindays MIN_DAYS
           Set the minimum number of days between password changes to MIN_DAYS.
A value of zero for this field indicates that the user may change his/her 
password at any time.

       -M, --maxdays MAX_DAYS
           Set the maximum number of days during which a password is valid. 
When MAX_DAYS plus LAST_DAY is less than the current day, the user will be 
required to change his/her password before being able to use his/her account.
This occurrence can be planned for in advance by use of the -W option, which
provides the user with advance warning.

Passing the number -1 as MAX_DAYS will remove checking a password's validity.

       -R, --root CHROOT_DIR
           Apply changes in the CHROOT_DIR directory and use the configuration
files from the CHROOT_DIR directory.

       -W, --warndays WARN_DAYS
           Set the number of days of warning before a password change is required.
The WARN_DAYS option is the number of days prior to the password expiring that
a user will be warned his/her password is about to expire.

       If none of the options are selected, chage operates in an interactive
fashion, prompting the user with the current values for all of the fields. 
Enter the new value to change the field, or leave the line blank to use the
current value. The current value is displayed between a pair of [ ] marks.

Popular posts from this blog

Centos 7 pulseaudio

Image
Centos 7 doesn't come with an option for `awesome-wm` installation.  Therefore, the only way to make use of this light-weight tiling manager one has to enable Fedora 19 repo or build the package from source.  For the Fedora 19 repo approach, see: https://gist.github.com/ILMostro/1909a50e1858d0ee7e10 To use without GDM, GNOME's display manager, and without gnome services, one has to be aware of certain shortcomings that the gnome-services provide by default.  One such shortcoming is the lack of built-in Sound and Volume management.  Never fret, though, as there is a solution; namely, the PulseAudio-focused tools pavucontrol and pavumeter .  These packages are available from the " nux-desktop " repository available at at http://li.nux.ro/repos.html . nux-desktop My unofficial, as-is, not for profit RPM repositories for EL (RHEL, CentOS, ScientificLinux etc): These repos may or may not be up to date or behave the way you expect them to; use them at yo
Read more

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483 In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force
Read more

Password Policy in RHEL 7

In Red Hat Enterprise Linux 7, the pam_pwquality PAM module replaced pam_cracklib, which was used in Red Hat Enterprise Linux 6 as a default module for password quality checking. It uses the same back end as pam_cracklib. The code was originally based on pam_cracklib module, and the module is backwards compatible with its options. The pam_pwquality module can be customized and configured in the file /etc/security/pwquality.conf . The possible options in the file are: difok Number of characters in the new password that must not be present in the old password. (default 5) minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9) dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the
Read more