Re: how to change the existing password settings on FC3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ankush Grover wrote:
> On 4/30/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
> But how do I define complex password security that is forcing users to give
> atleast 1 alphanumeric character, atleast 1 upper case character and there
> should not be any first or middle or last name in the password.
the first/middle/last name is more difficult than you imagine (unless
these things form part of a users login name)

For the other requirements:
As was suggested, PAM is your friend here. There are two password
strength checking modules that you could use here:
pam_cracklib
pam_passwdqc
You really should read the documentation here:
/usr/share/doc/pam-0*/ it's in both html and text format.
pam_passwdqc has its own docs in /usr/share/doc/pam_passwdqc-*/README

WARNING
in both of these cases you are going to be editing *very* important
system configuration files. It is fairly trivial to lock *all* users out
 of your system by messing up PAM configuration, so
1) back up the original file
2) keep a proper tty (a text login console) open with root logged into
it while you work.
3) if you do mess it all up, reboot the system in single user mode and
put the backed up file back in place.

for system-wide password strength controls (ie ones that cover not only
the passwd command but also passwords changed over ssh, on first login,
using the GUI tool etc etc) you'll edit /etc/pam.d/system-auth

for pam_cracklib you will want a line a little like this:
password	required	pam_cracklib.so length=20 ucredit=3 \
dcredit=3 ocredit=3 lcredit=3

which means:
a strong-enough password must score at least 20 points (length= is
arguably a misnomer). the points are granted thus:
1 point per character, no matter what it is.
1 extra point per uppercase letter up to the maximum value given in ucredit.
the same applies to lowercase (lcredit), digits (dcredit) and
non-alphanumeric chars (ocredit).

so in this case, a 20-char lowercase password is ok, but you can get
away with shorter passwords by mixing characters.
Mu?Pp3t_%5 has 10 chars
+2 for uppercase chars = 12
+3 other chars = 15
+3 lower chars = 18
+2 digits      = 20 points

although this may be a little extreme. It already will check for words
based on your username or dictionary words, so you wouldn't get away
with a 20-char word from the system dictionary.
Be wary of over-strong passwords. They will be counter-productive for
ordinary users (in my experience)

pam_passwdqc is more prescriptive and permits the use of passphrases
(which I like).
password	required	pam_passwdqc min=disabled,16,12,14,10 \
max=30 passphrase=3

basically it takes an argument like this
min=A,B,C,D,E which represents the minimum length of passwords based on
their makeup:
A = passwords made up on one character class (ie lowercase only)
B = passwords from 2 character classes
C = characters in a passphrase
D = 3 character classes
E = 4 character classes
(incidentally, caps at the start and numbers at the end don't count!)

max = maximum possible password length
passphrase = minumum number of words that *must* be in a passphrase

there are plenty of other options too

so in the example above:
passwords must have at least 2 types of character in them
passwords from 2 classes must be 20 chars long
passphrases must be 12 chars long and contain at least 3 words
passwords with 3 typs of char must be 14 chars long
passwords using all 4 classes can be 10 chars long

RTFM for more complex (!) explanations and the massive number of other
options.

you will probably also want to permit password aging (man chage)
possibly failed login monitoring (pam_tally)

I reiterate,
BE VERY CAREFUL WITH PAM SETTINGS
sorry for shouting...

Regards,

Stuart
- --
Stuart Sears RHCA RHCX
To err is human, to forgive is Not Company Policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEVKYDamPtx1brPQ4RAqZIAJ9WD+Io89AbZfLTJEz97qKCNZ814wCfRhF9
XECXSMj1TVRtR/q2B0xmmu0=
=6Za8
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux