DCA Security FAQ‎ > ‎

Protect Accounts by Configuring PAM

posted Oct 10, 2012, 7:20 AM by Sachchida Ojha
Authentication settings such as password quality, password expiration policy, password reuse, password retry attempts, and more can be configured using the Pluggable Authentication Modules (PAM) framework. PAM looks in the directory /etc/pam.d for application-specific configuration information. Running authconfig or system-config-authentication will re-write the PAM configuration files, destroying any manually made changes and replacing them with system defaults.

1.Set Password Quality Requirements
The default pam_cracklib PAM module provides strength checking for passwords. To configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and special character, as recommended by the U.S. Department of Defense guidelines, edit the file /etc/pam.d/system-auth to include the following parameters in the line corresponding to password requisite pam_cracklib.so try_first_pass retry=3:
dcredit=-1. Require at least one digit
ucredit=-1. Require at least one upper case character
ocredit=-1. Require at least one special character
lcredit=-1. Require at least one lower case character
minlen-14. Require a minimum password length of 14.
For example:
password required pam_cracklib.so try_first_pass retry=3\minlen=14 dcredit=-1 ucredit=-1 ocredit=-1
These parameters can be set to reflect your security policy requirements. Note that the password restrictions are not applicable to the root password.

2.Set Lockouts for Failed Password Attempts
The pam_tally2 PAM module provides the capability to lock out user accounts after a specified number of failed login attempts. To enforce password lockout, edit the file /etc/pam.d/system-auth to include the following lines:
The first of the auth lines should include: auth required pam_tally2.so deny=5 onerr=fail unlock_time=900
The first of the account lines should include: account required pam_tally2.so
Here, the deny parameter is set to limit the number of retries to 5 and the unlock_time has been set to 900 seconds to keep the account locked for 900 seconds before it is unlocked. These parameters may be configured appropriately to reflect your security policy requirements. A locked account can be manually unlocked using the pam_tally2 utility:
/sbin/pam_tally2 --user {username} -reset

3.Upgrade Password Hashing Algorithm to SHA-512
The default password hashing algorithm used in the system is MD5. To configure the system to use the SHA-512 algorithm, three files need to be edited.
•Replace md5 with sha512 in /etc/pam.d/system-auth
For example: password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
•Disable MD5_CRYPT_ENAB and set the ENCRYPT_METHOD to SHA512 in /etc/login.defs
For example:
•Update the crypt_style to sha512 in /etc/libuser.conf
For example: crypt_style = sha512
The next time a user's password is reset, the password will be generated the SHA-512 algorithm.

4.Limit Password Reuse
You can use PAM to limit the reuse of recent passwords. The remember option for the pam_ unix module can be set to remember the recent passwords and prevent their reuse. To accomplish this, edit the appropriate line in /etc/pam.d/system-auth to include the remember option.
For example:
password sufficient pam_unix.so [ … existing_options …] remember=5
You can set the number of previous passwords to remember to appropriately reflect your security policy requirements.