EDIT 09/19/2020: This post has been updated as it was linked to the new Part 2 of 2 Infrastructure, Decentralization and Security post so I decided to include Asciicast recordings.
Click the Show More button to access the recording. You can pause the recording and copy & paste directly from it too.
Even though we use an Ansible playbooks to automate our configuration we wanted to walk you through the manual steps. Later we will release our playbooks for public consumption.
Best Practices:
- Be sure to have an open session as root as mistakes in PAM configuration could affect the root user’s ability to authenticate.
- Before editing PAM configuration files, be sure to take a backup.
Please don’t skip these two steps. We do not demonstrate these steps in the terminal recordings provided. Forgetting to have backups and a separate root user session already connected can lead to being locked out of your server!
- Password Complexity Requirements
- Restrict Password Reuse
- Password Expiration (6 months)
Password Complexity
Password Complexity implements strong passwords, or at minimum prevents weak passwords. Were going to configure it to require 8 characters minimum, 3 character types and only allow repeating a character 3 times consecutively. This is done in 2 steps.
- Ensure the pam_pwquality.so module exists in the /etc/pam.d/system-auth file, create the line if it does not.
- Edit /etc/security/pwquality.conf to configure parameters. Below we discuss each option configured and its effects.
[bg_collapse view=”button-blue” color=”#ffffff” icon=”arrow” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”484″]
[/bg_collapse]
Setting credits to -1 required one each of class digit, upper, lower and other (ie. dcredit, ucredit, lcredit and ocredit). If your asking yourself, why did they set minclass to 3 if they already required at least one of all 4 classes, great! Your paying enough attention to understand what your doing. We didnt need to set minclass=3 if we set at least 3 of the credit options to -1. Or we could have skipped setting -1 4 times by instead setting minclass to 4. These are two different ways to enforce the password complexity rules, they don’t need to be mixed, but as you can see you could create some fairly specific requirements if you wanted a certain number of classes, but also wanted to ensure a minimum number of other characters.
Restrict Password Reuse
Now its time to restrict reusing passwords since it’s not much help to require a strong password if it gets compromised and you never replace it. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In our example were going to show the pam_pwhistory.so configuration
- Make sure (an empty) /etc/security/opasswd exists with correct permission and in case SELinux is enabled, has the correct SELinux context:
[root~]# ls -ldZ /etc/security/opasswd
-rw-------. root root system_u:object_r:shadow_t:s0 0 Jun 24 06:35 /etc/security/opasswd- Add pam_pwhistory.so to /etc/pam.d/system-auth after the line containing pam_pwquality.so as shown below. Were going to set it to remember 5 prior passwords.
...
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password required pam_pwhistory.so remember=5 use_authtok
...[bg_collapse view=”button-blue” color=”#ffffff” icon=”arrow” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”514″]
[/bg_collapse]
Password Expiration
The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. We will implement a 180 day default policy, create two new users, and then update their warning from the default 7 days to 21 days
- Set the appropriate value of 180 for PASS_MAX_DAYS inside /etc/login.defs or apply it to existing accounts with the -M flag using chage.
- Set the warning from 7 days to 21 days, so notification is given 2 weeks sooner than the password will need to change.
[bg_collapse view=”button-blue” color=”#ffffff” icon=”arrow” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”508″]
[/bg_collapse]