password history ability with pam?
Richard Wilson
r.wilson9 at cox.net
Thu Dec 15 22:42:08 MST 2005
Dan and all,
I just had to enforce some fun requirements from our Corporate Data
Security types and learned a lot in the process.
You can modify the pam.tally module to keep track of the number of times
a user tries to login and lock the account once that number is passed.
(This just bit me -- I had to go in and reset the count on a production
account that had been fat-fingered a few too many times. The PAM System
Admin Guide suggests a nightly cron job to reset these tallies -- I'll
be putting that in place tomorrow).
With the "chage" command you can set a bunch of password lifetime
options such as min and max days between password changes, inactivity
locking, password change warnings,
There's an excellent article at
http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords
that goes into how the author convinced Red Hat to adopt his new methods
for enforcing things like:
min passwd length
min number of lower case letters
min number of uppercase letters
min number of digits
min number of other characters
This is now part of Fedora and RHEL -- there are patches available for
older RH versions that might be portable elsewhere... YMMV
Being paranoid about changing security settings, I relied heavily on the
PAM System Administrators Guide -- this guide is your friend! You
should be able to find it if you installed the PAM doco -- on my FC3
system it's at: /usr/share/doc/pam-0.77/html/pam.html
Hope this helps, feel free to contact me directly if you want.
--
Richard Wilson
r dot wilson (nine) at cox dot net
--------------------------------------------------------------------
On Thu, 2005-12-15 at 21:07 -0800, Dan Lund wrote:
> Hi folks,
> I don't often hit you guys for answers but I need a little advice.
> I'm dealing with SOX/HIPAA compliancy right now, which drives me a little nuts.
> Anyway, the auditors said we need to have a password history feature
> so that the user cannot change their password back to a password they
> used the last time, time before, etc.
> Now, we run Active Directory and I know I could configure the systems
> to use pam_smb to authenticate and it'd use the same password
> guidelines that the Windows world uses. I don't want to rely on
> Active Directory, and it seems like a kludge at best.
>
> I need to know how to do password history detection, has anyone had
> any experience with this on Linux servers?
> (note: This is a mix of Redhat 8.0, RHEL3/4, and Gentoo... about 160
> machines so individual maintanence would be a nightmare.. past the
> initial configuration which can easily be scripted)
>
> Any help would be appreciated. I have 6 months at most ;)
>
> --Dan Lund
> --
> To exercise power costs effort and demands courage. That is why so
> many fail to assert rights to which they are perfectly entitled -
> because a right is a kind of power but they are too lazy or too
> cowardly to exercise it. The virtues which cloak these faults are
> called patience and forbearance.
> Friedrich Nietzsche
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list