Tech Talks

This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords. Example for Restricting su Access to root Create a new group for each set of users that are allowed to su to the root # groupadd rootmembers Add all users who are allowed to su to the root account to the new member groups created above. The following requirement will be configured: - Only the user named hari should be able to su to root - # usermod -G rootmembers hari Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below: auth sufficient /lib/security/$ISA/pam_rootok.so auth required /lib/security/$ISA/pam_stack.so service=system-auth auth sufficient /lib/security/$ISA/pam_stack.so service=su-root-members auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth session required /lib/security/$ISA/pam

Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below: auth required pam_env.so auth required pam_tally.so onerr=fail per_user deny=3 reset auth required pam_access.so auth sufficient pam_unix.so likeauth nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.

The pam_cracklib module checks the password against dictionary words and other constraints. E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number. The following example shows how to enforce the following password rules: pam_cracklib.so minlen=8 Minimum length of password is 8 pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1 pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1 pam_cracklib.so dcredit=-1 Minimum number of digits is 1 pam_cracklib.so ocredit=-1 Minimum number of other characters is 1 To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the follo