最後更新: 2024-01-03

目錄

• pwquality
• Apply password policy to Ssh
• pwhistory
• cracklib
• faillock
• Rocky 8 User PAM

 

---

pwquality 介紹

 

pam_pwquality code was originally based on pam_cracklib module and the module is backwards compatible with its options.

Help: man pam_pwquality

The checks for strength are:

• Palindrome
• Case Change Only # Is the new password the the old one with only a change of case?
• Similar              # Is the new password too much like the old one?
• Simple              # 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit.
• Rotated            # Is the new password a rotated version of the old password?
• Same consecutive characters
• Too long monotonic character sequence
• Contains user name
• Dictionary check         # The Cracklib routine is called to check

 

pam_pwquality Config Arg & File

• module arguments
• configuration file (/etc/security/pwquality.conf)

 * module arguments override tconfiguration file

 

pam_pwquality Config Example

 

password-auth default # R8

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

說明

try_first_pass

tells a later module to try using the password entered for a previous module

retry=N    # default: 1

Prompt user at most N times before returning with error

local_users_only

The module will not test the password quality for users that are not present in the /etc/passwd file

authtok_type=XXX

The default action is for the module to use the following prompts when requesting passwords:
"New UNIX password: " and "Retype UNIX password: "

 

pam_pwquality Set Policy

 

i.e.

password    required    pam_pwquality.so difok=1 reject_username

difok=N

Specifies the number of characters that must be different between the old and new passwords when changing passwords

minlen=N

The minimum acceptable size for the new password (plus one if credits are not disabled which is the default)

credits

• dcredit      # digits
• ucredit      # uppercase
• lcredit      # lowercase
• ocredit      # other (symbol)

If less than 0 (-1) it is the minimum number of digits in the new password.

usercheck=1

check whether the password (with possible modifications) contains the user name in some form.

It is not performed for user names shorter than 3 characters.

reject_username

Check whether the name of the user in straight or reversed form is contained in the new password.

dictpath=/path/to/dict

Path to the cracklib dictionaries.

ie.

password  required  pam_cracklib.so dictpath=/usr/share/cracklib/pw_dict

Config File

/etc/security/pwquality.conf

difok = 1
minlen = 14
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
minclass = 4
usercheck = 1
enforce_for_root

# Whether to check for the words from the cracklib dictionary.(default 1)

dictcheck = 1

# Whether to check if it contains the user name in some form.

usercheck = 1

# Length of substrings from the username to check for in the password

usersubstr = 0

# Enforces pwquality checks on the root user password.

enforce_for_root

# The minimum number of required classes of characters for the new password.
# 4 = digits, upper and lower letters and other characters

minclass=N

# When password changing enforce the module to use the new password provided by a previously stacked password module

use_authtok

 

---

Apply password policy to sshd

 

基本上修改 password-auth 就可以, 因為 sshd include 了它

grep password-auth /etc/pam.d/sshd

auth       substack     password-auth
account    include      password-auth
password   include      password-auth
session    include      password-auth

/etc/ssh/sshd_config

MaxAuthTries 5

 

---

pwhistory

 

/etc/security/pwhistory.conf

enforce_for_root
remember = 8

# The last N passwords for each user are saved.

remember=N    # default: 10

 

---

cracklib dictionaries

 

Package

• cracklib
• cracklib-dicts
• words

Package: cracklib

A password-checking library

• /usr/sbin/cracklib-check          #   
• /usr/sbin/cracklib-packer
• /usr/sbin/cracklib-unpacker
• /usr/sbin/cracklib-format        # 用圖不大
• /usr/sbin/create-cracklib-dict  # 將生字庫轉成 cracklib 的格式

cracklib-check

# Check passwords using libcrack2's FascistCheck(3) sub routine
# Default 係使用 /usr/share/cracklib/pw_dict

echo "Pwd@1245" | cracklib-check

Pwd@1245: OK

cracklib-packer

# sorted and cleaned words and creates binary database (.hwm, .pwd, and .pwi)
# if dbname is not specified, will use compiled in default of (/usr/share/cracklib/pw_dict)

cracklib-packer /usr/share/cracklib/pw_dict.pwd < /path/to/wordlist.txt

cracklib-unpacker

# DB -> TXT
# if dbname is not specified, will use compiled in default of (/usr/share/cracklib/pw_dict)

Package: cracklib-dicts

The standard CrackLib dictionaries

/usr/sbin/mkdict

# It takes a wordlist file as input and generates the corresponding .pwd, .hwm, and .pwi files.

i.e.

mkdict /path/to/wordlist.txt /usr/share/cracklib/my_dict.pwd

/usr/sbin/packer

# It reduces the size of the dictionaries by removing duplicate entries and optimizing the storage format.

i.e.

packer /usr/share/cracklib/my_dict.pwd /usr/share/cracklib/my_dict.pwi

 * If you don't use packer, the dictionaries will still function correctly, but they may be larger in size.

Files

• /usr/lib64/cracklib_dict.hwm             # soft-link ../../usr/share/cracklib/pw_dict.hwm
• /usr/lib64/cracklib_dict.pwd
• /usr/lib64/cracklib_dict.pwi
• /usr/share/cracklib/cracklib-small.hwm    # small-sized dictionary
• /usr/share/cracklib/cracklib-small.pwd
• /usr/share/cracklib/cracklib-small.pwi
• /usr/share/cracklib/pw_dict.hwm           # larger dictionary
• /usr/share/cracklib/pw_dict.pwd
• /usr/share/cracklib/pw_dict.pwi

*.hwm

hash-based index file for .pwd
It is used to optimize the lookup process

*.pwi

index file for the .pwd
It is used to optimize the lookup process

Package: words

A dictionary of English words for the /usr/share/dict directory

File

• /usr/share/dict/linux.words

Usage: Update the cracklib Dictionary

create-cracklib-dict /usr/share/dict/linux.words

 

---

faillock

 

pam_faillock 它與 pam_tally 及 pam_tally2 有差不多功能

Help: man pam_faillock

Centralize the configuration of the pam_faillock.so module

/etc/security/faillock.conf

fail_interval = 3600
deny = 5
unlock_time = 0
even_deny_root

只對 ssh 使用 lock

/etc/pam.d/sshd

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so preauth

{preauth|authfail|authsucc}

This argument must be set accordingly to the position of this module instance in the PAM stack.

preauth stage:

It called before the modules which ask for the user credentials such as the password.
The module will record the failure into the appropriate user tally file.
This call is optional if authsucc is used.

authfail stage:

after the modules which determine the authentication failed.
the module will record the failure into the appropriate user tally file.

 

Checking Lock

faillock --user USERNAME

# 相當於清空 /var/run/faillock/USERNAME 的內容

faillock --user myUsername --reset

 * 成功 Login 後會清空 /var/run/faillock/USERNAME

 

sshd 的 pam 設定

/etc/pam.d/sshd

# optionally use "requisite" if you do not want to prompt for the password on locked accounts
auth       required     pam_faillock.so preauth
auth       required     pam_faillock.so authfail
auth       substack     password-auth
auth       include      postlogin

account    required     pam_sepermit.so
account    required     pam_nologin.so
# if you drop the call to pam_faillock.so the lock will be done also on non-consecutive authentication failures
account    required     pam_faillock.so preauth
account    include      password-auth

...

 

---

Rocky 8 User PAM

 

/etc/pam.d/system-auth and /etc/pam.d/password-auth