By default Linux does NOT enable password aging. This may be a requirement in your organization (or Proof-of-concept). There are different mechanisms for implementing (such as utilizing your active directory policies), or doing things manually.
In my specific case, there were two viable options:
1) use CentrifyExpress (free product) which basically adds the Linux box to your Active Directory. Thus any password policies already in place in AD, will be enforced on the Linux boxes.
2) Configure them manually
Note: for CentrifyExpress, be default all machines within your environment (with AD credentials) will be able to access and login to your Linux machines. This can be rectified by adding an ACL. Their forums give specific instructions on how to do this.
option #2 will be used for this discussion.
Redhat versions 4-6 (7 untested as of yet)
The main things of interest (in my test case) in changing are:
* Set the Maximum Password Age
* Enable Password History
* Lock account after X failed attempts
* Set Minimum Password Length
* Auto-lock inactive accounts after X days
* Change default password algorithm to SHA512
By default, RHEL4-6 use MD5 as their base password algorithm. Unfortunately, with security as it is today using MD5 can be hazardous. To change your default password algorithm from MD5 to SHA512, run the following command (as root):
For RHEL 4.7 (up to 5.1):
authconfig --passalgo=sha512 --kickstart
For RHEL 5.2 (or newer):
authconfig --passalgo=sha512 --update
To configure the Maximum password age and password warning level, edit /etc/login.defs
PASS_MAX_DAYS 99999 (Change to match your environment)
PASS_WARN_AGE 7 (default in days, change to match environment)
Configure PAM for minimum password length, maximum password history, and auto-locking an account after passing the failed login threshold.
edit /etc/pam.d/system-auth (redhat 4 systems)
find: #(for auto-lock account after failed logins)
auth required /lib/security/$ISA/pam_env.so
change to:
auth required /lib/security/$ISA/pam_tally2.so deny=3
find: #(password minimum length)
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
change to:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=0 ucredit=0 dcredit=0 ocredit=0 minlen=8
find: #(password history)
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok sha512 shadow
change to:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok sha512 shadow remember=5
### Just append remember=5 to the line ###
Now for the case of Minimum password length above, a little more explanation is in order. You can give credit (towards your maximum password length) if the client uses certain characters in their password (ex. dcredit=-1). In my case, I wasn’t so I set them to 0.
dcredit = digits
lcredit = lower case character
ucredit = upper case character
ocredit = other character
You would then determine your minimum password length with the formula:
password length – <# of types) which can be up to 4.
Once you have done the above, the password restrictions will be in place for “new users” only (and password algorithm on password changes). If you wish to change for existing users on the system, then you would use chage to accomplish that.
example:
chage -M 60 -W 7 -I 30 tom
Set’s tom’s User account to a maximum age of 60 days, warn 7 days prior to expiration, and go inactive 30 days (after the password maximum age). So the account will go inactive after 90 days.
Additionally, if you enable the command above on any existing accounts, if the passwords haven’t been changed recently it will auto-lock your account. So you may wish to set a password for the account(s) now, so that it isn’t locked any longer. Additionally, you may wish to expire the password so when the UID logs into the server, they will be forced to change their password. This can be accomplished with:
# change password for user
passwd <userid> ## replacing userid with the UID account
# expire password, so UID is forced to change password upon login
chage -d 0 <userid> ## also replacing userid with an active UID
### Account locked-out, needs resetting ###
In the event an account gets locked out (trying to login too many times) is prone to happen. So to check how many times an account is locked, and to clear it use:
pam_tally2 -u <userid>
example:
# pam_tally2 -u test01
Login Failures Latest failure From
test01 4 05/22/15 12:54:27 tty1
If your account lock-out is set to three, you’ll note that test01 got 4 failures.. so they are effectively locked-out at the moment. To reset their failures back to zero (unlocking the account) would be set using:
# pam_tally2 -u test01 -r
=======================
Sources of Information:
=======================
* http://www.outsidaz.org/blog/2009/12/23/migrating-to-sha-512-etcshadow-hashes-on-rhel45/