Enforcing password restrictions

A weak password can be one of the weakest security points of any system. Simple passwords are susceptible to brute-force attacks and long-lived passwords, if they are compromised, provide a wide window of opportunity for malicious activity. Because of this, it's important to ensure that your users choose sufficiently complex passwords and change them regularly. This recipe shows you how to strengthen your system's security by enforcing various restrictions on users' passwords. You'll learn how to specify the minimum complexity requirements for a password, how long before a password must be changed, and how to lock down an account after a number of failed login attempts.

Getting ready

This recipe requires a CentOS system and administrative access, either provided by logging in with the root account or by using sudo.

How to do it...

Follow these steps to enforce password restrictions that will increase the security of your CentOS system:

1. The parameters governing password aging are found in /etc/login.defs; open the file using your text editor of choice: vi /etc/login.defs
2. Locate the password aging controls section and update the value of PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE: PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 15
3. Save your changes and close the file.
4. The values specified in login.defs will be applied to new accounts when they are created. Existing users must have their password parameters set separately using the chage command: chage --maxdays 90 --mindays 0 --warndays 15 tboronczyk
5. The parameters governing the acceptable complexity for passwords are found in /etc/security/pwquality.conf; open the file for editing: vi /etc/security/pwquality.conf
6. Uncomment the minlen value to specify the desired minimum password complexity plus 1. For example, an eight-character password consisting of all lowercase characters would require a minlen of 9: minlen = 9
7. You may uncomment other values and set them as well if you like. Each value is preceded by a brief descriptive comment of what it does. To require a minimum number of characters to be from a certain class (uppercase, lowercase, digits, and other/special), specify the value as a negative number. For example, if passwords require at least one numeric digit and one uppercase character then both dcredit and ucredit would be set to -1:

   Options for configuring your system's password complexity requirements are found in pwquality.conf

8. Save your changes and close the file.
9. Next we'll update PAM's password-auth and system-auth module configurations to lock out an account after a number of unsuccessful login-attempts. Open the file /etc/pam.d/password-auth: vi /etc/pam.d/password-auth
10. Update the group of auth lines at the beginning of the file to read as follows. The second and fourth lines have been added and include pam_faillock to the authentication stack: auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
11. Update the group of account lines to read as follows. The second line has been added to include pam_faillock to the account stack: account required pam_unix.so account required pam_faillock.so account sufficient pam_localuser.com account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so

    Note

    
    

    Be careful when updating the password-auth and system-auth files. The order in which modules are listed in a stack is significant!

12. Save your changes and close the file. Then repeat steps 9 to 11 with the file /etc/pam.d/system-auth.

How it works...

Properly configuring the authentication requirements for local accounts is a bit of a fractured experience. First, there's the traditional Unix password files (/etc/passwd and /etc/groups) and the shadow-utils package, which adds shadowing support (/etc/shadow). Together, these form the core database for local account credentials. In addition, similar to most other modern Linux systems, CentOS uses PAM, a collection of pluggable authentication modules. The PAM stack is configured by default to lookup account information in the shadow file, but it also provides additional functionality that PAM-aware programs can leverage, such as password-strength checking. As an administrator, you're responsible for configuring these services so that they work properly in tandem and operate within the acceptable security guidelines set by your organization.

In this recipe, we first updated the password aging related controls found in /etc/logins.def:

PASS_MAX_DAYS defines how much time can pass before a password must be changed. By setting the value to 90, a user must change their password at least once every three months (90 days). PASS_MIN_DAYS specifies how many days a user must wait to change a new password. Since this value is 0, a user can change their password any time they want-even several times a day if they like. PASS_WARN_AGE defines how many days in advance a user will be notified of their password's pending expiration as PASS_MAX_DAYS approaches.

Note

PASS_MIN_LEN is supposed to set the minimum password length, but you'll find PAM's password complexity requirements supersede this, making the setting pretty much worthless.

Utilities such as useradd use these settings as the defaults when creating entries in the password and shadow files. They aren't applied retroactively to existing users so we need to use chage to update their accounts:

chage can set the minimum and maximum age of a user's password and the notification window for pending expirations, but note the absence of a minimum length requirement.

We can also use chage to make a user's password expire immediately so that they must specify a new one the next time they log in. To do so, we provide the --lastdays argument with a value of 0:

Tip

If you have more than a handful of accounts, you may want to automate using chage with some basic shell scripting. Here's a series of commands piped together that update all of the existing user accounts in an automated fashion:

This works by retrieving the contents of the shadow file and using awk to split each record using : as the field separator. awk looks at the value in the second field (the encrypted password) to see if it begins with $, indicating the account has a password, to filter out disabled accounts and system accounts without a password. The username from each matching record is then piped to xargs which then feeds the names one at a time to chage.

As the PAM module pam_pwquality checks the complexity of passwords, we specify our password complexity requirements in the module's configuration file, /etc/security/pwquality.conf. It gauges the quality of a password using a credit system where each character credits a point towards the password's total score. This score then must meet or exceed the value we gave for minlen.

The page at http://wpollock.com/AUnix2/PAM-Help.htm has a good explanation of how pam_pwquality calculates a password's complexity. It explains the algorithm as follows:

• Add one for each character in the password regardless of the type of the character
• Add one to that for each lowercase letter used, up to a maximum of lcredit
• Add one to that for each uppercase letter...