Protect Accounts by Configuring PAM

Post date: Oct 10, 2012 2:20:14 PM

Authentication settings such as password quality, password expiration policy, password reuse, password retry attempts, and more can be configured using the Pluggable Authentication Modules (PAM) framework. PAM looks in the directory /etc/pam.d for application-specific configuration information. Running authconfig or system-config-authentication will re-write the PAM configuration files, destroying any manually made changes and replacing them with system defaults.

1.Set Password Quality Requirements

The default pam_cracklib PAM module provides strength checking for passwords. To configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and special character, as recommended by the U.S. Department of Defense guidelines, edit the file /etc/pam.d/system-auth to include the following parameters in the line corresponding to password requisite pam_cracklib.so try_first_pass retry=3:

dcredit=-1. Require at least one digit

ucredit=-1. Require at least one upper case character

ocredit=-1. Require at least one special character

lcredit=-1. Require at least one lower case character

minlen-14. Require a minimum password length of 14.

For example:

password required pam_cracklib.so try_first_pass retry=3\minlen=14 dcredit=-1 ucredit=-1 ocredit=-1

lcredit=-1

These parameters can be set to reflect your security policy requirements. Note that the password restrictions are not applicable to the root password.

2.Set Lockouts for Failed Password Attempts

The pam_tally2 PAM module provides the capability to lock out user accounts after a specified number of failed login attempts. To enforce password lockout, edit the file /etc/pam.d/system-auth to include the following lines:

The first of the auth lines should include: auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

The first of the account lines should include: account required pam_tally2.so

Here, the deny parameter is set to limit the number of retries to 5 and the unlock_time has been set to 900 seconds to keep the account locked for 900 seconds before it is unlocked. These parameters may be configured appropriately to reflect your security policy requirements. A locked account can be manually unlocked using the pam_tally2 utility:

/sbin/pam_tally2 --user {username} -reset

3.Upgrade Password Hashing Algorithm to SHA-512

The default password hashing algorithm used in the system is MD5. To configure the system to use the SHA-512 algorithm, three files need to be edited.

•Replace md5 with sha512 in /etc/pam.d/system-auth

For example: password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

•Disable MD5_CRYPT_ENAB and set the ENCRYPT_METHOD to SHA512 in /etc/login.defs

For example:

MD5_CRYPT_ENAB no

ENCRYPT_METHOD SHA512

•Update the crypt_style to sha512 in /etc/libuser.conf

For example: crypt_style = sha512

The next time a user's password is reset, the password will be generated the SHA-512 algorithm.

4.Limit Password Reuse

You can use PAM to limit the reuse of recent passwords. The remember option for the pam_ unix module can be set to remember the recent passwords and prevent their reuse. To accomplish this, edit the appropriate line in /etc/pam.d/system-auth to include the remember option.

For example:

password sufficient pam_unix.so [ … existing_options …] remember=5

You can set the number of previous passwords to remember to appropriately reflect your security policy requirements.