Skip to content


password grammar in LINUX – PAM style

In AIX to control password grammar (composition rules), expiration and all other not mentioned here “attributes”, both on a local or global scale is very easy. All is collected and ready to be manipulated to satisfy your fancy in a single file called user located in directory called /etc/security.

This file as many other files in AIX is based on stanzas. There is the default stanza where all attributes are set to their “default” values. This stanza is followed by any number of other stanzas, each representing a particular user whose password/login attributes differ from the ones set in the default stanza. It is nice and easy. Does it answer all needs in this area? Maybe not, most likely not. Is it dated solution? It could be. In my opinion it is clean and efficient and if anything else is called for in addition and above what this file provides, one has to remember that AIX has PAM,yes AIX supports PAM. Having said that, I admit that I have never used PAM with AIX and have no idea do what extend PAM is supported by this operating system. What PAM stands for? PAM is short for the Pluggable Authentication Modules.

Here comes LINUX. A few days ago, I started to think about RedHat – How to set a different set of password controls on a RedHat host with an configured and operational Active Directory authentication? What to do to apply a different set of password attributes for the local users? This post is a way to share with you what I have so far discovered. As always, let me know if you find an error, omission or a better solution to what I have shown here.

In RedHat to make sure that the local users (the ones present in the file /etc/passwd) are authenticating by the local means and not via AD or LDAP or something else you have to check the files inside directory called /etc/pam.d for the presence of the following entry:

account       sufficient             pam_localuser.so

On my host, these entry is present in a few files like fingerprint-auth, password-auth, password-auth-ac, smartcard-auth, system-auth – not all of them are actually needed as for example this host does not employ any finger print recognition device to authorize the login-in user. I think, that for most cases it is enough to have this entry in both files which names start with password.

Next comes the grammar. To make sure that the local users passwords are sufficiently strong and they contain the correct ratio of numerals/upper/lower/special characters and so forth we look into the same directory again, but now seeking a different PAM module. This time we look for a PAM module called pam_cracklib.so, which we find in the file called password-auth. For example the following entry:

password	required	pam_cracklib.so \
                    dcredit=-1 ucredit=-1 lcredit=-1 minlen=8

requires a password to contain at the minimum one (1) digit (dcredit), one (1) upper case (ucredit) character, one (1) lower case (lcredit) character and be not shorter than (minlen 8 characters. Not to mention that this module will automatically check the selected password against a dictionary an if it is found to be a word …. guess what? It will be refused and the user will have to specify to select a different one.

Now, what about the previous passwords? How to prevent their repetitive usage? First, verify that this file is present:

# ls -l /etc/security/opasswd
-rw-------. 1 root root 0 Apr  5  2012 /etc/security/opasswd

This file is the “keeper” of users previous passwords. The number of previous password per user stored inside this file is controlled by the value of the token called remember – thanks the developer for using meaningful terms!!!!!!!!!! The next line shows this setting in action (an excerpt form the file /etc/pam.d/password-auth).

password    sufficient    pam_unix.so \
                 sha512 shadow nullok try_first_pass use_authtok \
                 remember=4

On this host, user is not allowed to repeat any of his four last passwords. By the way, the maximum for remember is 400 (past passwords).

For now this is all I have, stay warm,

MarkD:-)

Posted in Linux.

Tagged with , , .


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

WordPress Anti Spam by WP-SpamShield



Copyright © 2016 - 2017 Waldemar Mark Duszyk. All Rights Reserved. Created by Blog Copyright.