We have a requirement to vary the minimum password criteria by the group to which a user belongs.
For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14 etc.
It would seem that the pam_cracklib.so line is the one to use but the exact method seems to be unclear.
We actually have three requirements normal user, admin, service user.
I think the below lines show the area of pam that requires changing. If anyone has tried this any information or help would be gratefully received.
A google search does show up some hints but none for RHEL6 which is what we are using.
A while back we had a god at this. We got as far as this before other business pressures took over. I'm not sure if it actually works, but it might provide a pointer:-
Quote:
In /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac files contains the following in the password statements:-
The plan then was to move people into the group privgrp if they had elevated privileges which mainly was considered as people with sudo rules for anything except where tied into the application, so those who could reset passwords, those who could become the superuser account etc. The limits are set for minimum of 8 for normal users and 12 for privileged, but I'm sure you can adjust that. We also require passwords to contain a mixture of upper & lower case, numerics and punctuation. We've had a few issues on some servers with characters #, £ and @ so bear that in mind when publishing guidelines. Worst affected for us on HP-UX, but it's a known limitation.
I hope that this gives you a pointer. I don't think it was actually fully implemented so I can't be sure it actually has any effect. Please test it thoroughly before committing to it. It would be worth having multiple sessions as a superuser before saving the files so you have a chance to undo them if they cause a problem.
I hope that this is useful, or prompts someone else to chip in, perhaps proving me wrong. I'm always happy to learn.
Does anyone have any experience hardening the c-icap.conf file? Here is the default config file, it has a lot of options; sorry about how long it is. I have removed some entries that were not needed as well, but it is still so long :D. Any help is much appreciated as I have never dealt with ICAP.
... (0 Replies)
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Hello All,
I have Sun DSEE7 (11g) on Solaris 10.
I have run idsconfig and initialized ldap client with profile created using idsconfig.
My ldap authentication works. Here is my pam.conf
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login ... (3 Replies)
We've got a FTP server that's open to the public network and its running on Suse SUSE Linux Enterprise Server 11 (x86_64) SP2
Now, since it's an FTP server I can't disable that service, but how else do I harden this server from attacks from outside?
I am thinking of disabling the firewall and... (3 Replies)
I am dealing with an FTP server and I have implemented password hardening on the server. The thing is that, it applies to SSH connection.
I forcefully expired password of a user so that he can change password at next login. But the user logged in to the server through FTP and he wasn't asked to... (4 Replies)
Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too.
So everything is fine, but I want... (0 Replies)
Pam Module sending a cannot get password enry after certain period in /var/adm/message.
pam_login_limit(auth): Cannot get Password entry for user 'dbsnmp'
What is dbsnmp? Also if account is locked does pam module checks for this locked account at regular interval and keeps on posting... (2 Replies)
Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
So I've just done my first install of Solaris. I installed it on an x86 system and am now in the processing of figuring out what I need to do to 'harden' it. I've got the Security kit downloaded (jass) but I am not sure what to do with the .tar file.
I can't seem to find any easy steps to... (6 Replies)