Re: password expirations and automate generate password and …

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
To: Main PLUG discussion list
Subject: Re: password expirations and automate generate password and reset passwordand mail it?
Second topic . . .

See the discussion in the Center for Internet Security Red Hat Linux
Benchmark (http://cisecurity.org):

8.3 Set Account Expiration Parameters On Active Accounts
Action:
cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
     ($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
     ($1 ~ /^PASS_WARN_AGE/) { $2="28" }
     ($1 ~ /^PASS_MIN_LEN/) { $2="6" }
     { print } ' login.defs-preCIS > login.defs
chown root:root login.defs
chmod 640 login.defs
diff login.defs-preCIS login.defs


useradd -D -f 7
diff /etc/default/useradd-preCIS /etc/default/useradd

for NAME in `cut -d: -f1 /etc/passwd`; do
     uid=`id -u $NAME`
     if [ $uid -ge 500 -a $uid != 65534 ]; then
         chage -m 7 -M 90 -W 28 -I 7 $NAME
     fi
done
diff shadow-preCIS shadow


Discussion:
It is a good idea to force users to change passwords on a regular basis.
The commands above will set all active accounts (except system accounts)
to force password changes every 90 days (-M 90), and then prevent
password changes for seven days (-m 7) thereafter. Users will begin
receiving warnings 28 days (-W 28) before their password expires. Once
the password expired, the account will be locked out after 7 days (-I
7). Finally, the instructions above set a minimum password length of 6
characters.
These are recommended starting values. Some regulated industries
require more restrictive values – ensure they comply with your
Enterprise security policy.



George Toft, CISSP, MSIS
623-203-1760




Jeremy C. Reed wrote:
> Two topics here ...
>
> Anyone know of a ready-to-use script/tool to generate password and reset
> password and mail it?
>
> I could write a script that does the following ... generate a password
> with apg, shuffle, or Crypt::RandPasswd perl module; then encrypt it (if
> needed); use usermod to set it; and then PGP/GPG-encrypt a message and
> email that. (This is to be automated every couple weeks or once a mont via
> cron.)
>
> I was wondering if something already exists before I do this myself. (This
> is on a RHEL clone, but that doesn't matter.)
>
> Second topic:
>
> Anyone use shadow(5) fields (such as with passwd(1) or chage(1)) for last
> password change, days until change allowed, days before change required,
> days warning for expiration, days before account inactive, and/or date
> when account expires? If so, do you want to share any examples?
>
> Thanks,
>
>
> Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss