On 4/30/06, Stuart Sears <stuart@xxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ankush Grover wrote:
> On 4/30/06, Tim < ignored_mailbox@xxxxxxxxxxxx> wrote:
> But how do I define complex password security that is forcing users to give
> atleast 1 alphanumeric character, atleast 1 upper case character and there
> should not be any first or middle or last name in the password.
the first/middle/last name is more difficult than you imagine (unless
these things form part of a users login name)
For the other requirements:
As was suggested, PAM is your friend here. There are two password
strength checking modules that you could use here:
pam_cracklib
pam_passwdqc
You really should read the documentation here:
/usr/share/doc/pam-0*/ it's in both html and text format.
pam_passwdqc has its own docs in /usr/share/doc/pam_passwdqc-*/README
WARNING
in both of these cases you are going to be editing *very* important
system configuration files. It is fairly trivial to lock *all* users out
of your system by messing up PAM configuration, so
1) back up the original file
2) keep a proper tty (a text login console) open with root logged into
it while you work.
3) if you do mess it all up, reboot the system in single user mode and
put the backed up file back in place.
for system-wide password strength controls (ie ones that cover not only
the passwd command but also passwords changed over ssh, on first login,
using the GUI tool etc etc) you'll edit /etc/pam.d/system-auth
for pam_cracklib you will want a line a little like this:
password required pam_cracklib.so length=20 ucredit=3 \
dcredit=3 ocredit=3 lcredit=3
which means:
a strong-enough password must score at least 20 points (length= is
arguably a misnomer). the points are granted thus:
1 point per character, no matter what it is.
1 extra point per uppercase letter up to the maximum value given in ucredit.
the same applies to lowercase (lcredit), digits (dcredit) and
non-alphanumeric chars (ocredit).
so in this case, a 20-char lowercase password is ok, but you can get
away with shorter passwords by mixing characters.
Mu?Pp3t_%5 has 10 chars
+2 for uppercase chars = 12
+3 other chars = 15
+3 lower chars = 18
+2 digits = 20 points
although this may be a little extreme. It already will check for words
based on your username or dictionary words, so you wouldn't get away
with a 20-char word from the system dictionary.
Be wary of over-strong passwords. They will be counter-productive for
ordinary users (in my experience)
pam_passwdqc is more prescriptive and permits the use of passphrases
(which I like).
password required pam_passwdqc min=disabled,16,12,14,10 \
max=30 passphrase=3
basically it takes an argument like this
min=A,B,C,D,E which represents the minimum length of passwords based on
their makeup:
A = passwords made up on one character class (ie lowercase only)
B = passwords from 2 character classes
C = characters in a passphrase
D = 3 character classes
E = 4 character classes
(incidentally, caps at the start and numbers at the end don't count!)
max = maximum possible password length
passphrase = minumum number of words that *must* be in a passphrase
there are plenty of other options too
so in the example above:
passwords must have at least 2 types of character in them
passwords from 2 classes must be 20 chars long
passphrases must be 12 chars long and contain at least 3 words
passwords with 3 typs of char must be 14 chars long
passwords using all 4 classes can be 10 chars long
RTFM for more complex (!) explanations and the massive number of other
options.
you will probably also want to permit password aging (man chage)
possibly failed login monitoring (pam_tally)
hey Mr.Stuart,
Thanks for your guidance .
Thanks & Regards
Ankush Grover