Skip to main content


Showing posts from January, 2009

Restricting su Access to System and Shared Accounts

This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords. Example for Restricting su Access to root Create a new group for each set of users that are allowed to su to the root # groupadd rootmembers Add all users who are allowed to su to the root account to the new member groups created above. The following requirement will be configured: - Only the user named hari should be able to su to root - # usermod -G rootmembers hari Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below: auth sufficient /lib/security/$ISA/ auth required /lib/security/$ISA/ service=system-auth auth sufficient /lib/security/$ISA/ service=su-root-members auth required /lib/security/$ISA/ account required /lib/security/$ISA/ service=system-auth password required /lib/security/$ISA/ service=system-auth session required /lib/security/$ISA/pam

Lock user account on frequent login failures

Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below: auth required auth required onerr=fail per_user deny=3 reset auth required auth sufficient likeauth nullok try_first_pass auth requisite uid >= 500 quiet auth required account required account required account sufficient uid < 500 quiet account required password requisite try_first_pass retry=3 password sufficient md5 shadow nullok try_first_pass use_authtok password required session optional revoke session required session [success=1 default=ignore] service in crond quiet use_uid session required The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.

Enforce stronger password in Linux

The pam_cracklib module checks the password against dictionary words and other constraints. E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number. The following example shows how to enforce the following password rules: minlen=8 Minimum length of password is 8 lcredit=-1 Minimum number of lower case letters is 1 ucredit=-1 Minimum number of upper case letters is 1 dcredit=-1 Minimum number of digits is 1 ocredit=-1 Minimum number of other characters is 1 To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the follo