password expirations and automate generate password and reset password and mail it?

George Toft george at georgetoft.com
Wed Apr 4 20:42:50 MST 2007 

Second topic . . .

See the discussion in the Center for Internet Security Red Hat Linux 
Benchmark (http://cisecurity.org):

8.3 Set Account Expiration Parameters On Active Accounts
Action:
cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
     ($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
     ($1 ~ /^PASS_WARN_AGE/) { $2="28" }
     ($1 ~ /^PASS_MIN_LEN/) { $2="6" }
     { print } ' login.defs-preCIS > login.defs
chown root:root login.defs
chmod 640 login.defs
diff login.defs-preCIS login.defs

useradd -D -f 7
diff /etc/default/useradd-preCIS /etc/default/useradd

for NAME in `cut -d: -f1 /etc/passwd`; do
     uid=`id -u $NAME`
     if [ $uid -ge 500 -a $uid != 65534 ]; then
         chage -m 7 -M 90 -W 28 -I 7 $NAME
     fi
done
diff shadow-preCIS shadow

Discussion:
It is a good idea to force users to change passwords on a regular basis. 
The commands above will set all active accounts (except system accounts) 
to force password changes every 90 days (-M 90), and then prevent 
password changes for seven days (-m 7) thereafter. Users will begin 
receiving warnings 28 days (-W 28) before their password expires. Once 
the password expired, the account will be locked out after 7 days (-I 
7).  Finally, the instructions above set a minimum password length of 6 
characters.
These are recommended starting values.   Some regulated industries 
require more restrictive values – ensure they comply with your 
Enterprise security policy.



George Toft, CISSP, MSIS
623-203-1760




Jeremy C. Reed wrote:
> Two topics here ...
> 
> Anyone know of a ready-to-use script/tool to generate password and reset 
> password and mail it?
> 
> I could write a script that does the following ... generate a password 
> with apg, shuffle, or Crypt::RandPasswd perl module; then encrypt it (if 
> needed);  use usermod to set it; and then PGP/GPG-encrypt a message and 
> email that. (This is to be automated every couple weeks or once a mont via 
> cron.)
> 
> I was wondering if something already exists before I do this myself. (This 
> is on a RHEL clone, but that doesn't matter.)
> 
> Second topic:
> 
> Anyone use shadow(5) fields (such as with passwd(1) or chage(1)) for last 
> password change, days until change allowed, days before change required, 
> days warning for expiration, days before account inactive, and/or date 
> when account expires? If so, do you want to share any examples?
> 
> Thanks,
> 
> 
>   Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
>

More information about the PLUG-discuss mailing list