- User Accounts and Permissions
- Who Needs What? Managing Groups
- Passwords: The First Line of Security
- Monitoring User Activity
- Letting Mortals Play at Wizardry: SuperUsers
- References
This chapter is from the book
This chapter is from the book
This chapter is from the book
Passwords: The First Line of Security
Studies have shown that one of the leading causes, if not the primary cause, of system break-ins is an easily broken password. openSUSE aims to help the system administrator train all users (even if there's only one) in password integrity and safety.
The YaST Security Settings lets you set minimum standards for user passwords and offer additional ways of securing your passwords. In this section you'll learn how to configure these to your best advantage. First, however, there is some theory to cover.
The passwd and shadow Files
A user isn't a user until he or she has a password. Back in the old days, all user passwords in Unix and Linux were stored in a single /etc/passwd file, accessible to anyone with Read access. That's still true, after a fashion, although all the passwords are now marked with an X.
In the mid-1990s, John F. Haugh II created the Shadow Suite to deal with the problem of readable passwords, and support for the software spread through the various Linux distributions by 1998. The idea is simple: Keeping plain-text passwords in a single file with World Read access makes it too easy for attackers to get access to passwords. Although making /etc/passwd unreadable is one solution, that would cause too many problems. The solution is to put real user passwords in a file only Root can read.
Both passwd and shadow are database files. passwd has seven fields that store the following for each record or user:
- Username
- Password (or holding place)
- UID
- GID
- Finger information
- Path to the home directory
- Default shell
That is, every field included in the YaST User Add screen.
shadow has nine fields for each record/user and shares just one with passwd: the username. The other fields are as follows:
- Encrypted password
- When the password was last changed, expressed as the number of days after January 1, 1970; also known as the epoch.
- The number of days before the password can be changed.
- The number of days before the password must be changed.
- The number of days the user gets before being warned the password is about to expire.
- The number of days after a password expires that the account is disabled.
- The number of days (if any) since the epoch that the account has been disabled.
- The last field is reserved for future use; that use has yet to be determined.
These fields are set in the Password Settings dialog box for each user.
Selecting Passwords
Passwords have become a way of life with just about every computer user. There are system login passwords, web portal passwords, online banking passwords, ATM passwords—the list goes on, possibly forever. Yet it is undeniable that you need all these passwords to protect yourself, your money, your files, and all the other things that we password-protect.
Your Linux files are only as secure as your password, so it's important to select passwords carefully. Following are some very basic tips on making your passwords secure:
- Choose something easy for you to remember, but hard to guess.
- Don't use your name, address, birthday, or other well-known fact about you as a password. The story goes that heiress Paris Hilton had her cell phone's address book hacked when she used her favorite pet's name as a password hint. System administrators have been known to check user passwords with a personnel file in their hands, using birth dates, spouse's names, and the like. An unusual combination of some of these characters can be successful, though.
- The longer the password, the better. By default, your system password must be at least five characters. Using the Blowfish password-encryption standard (see the next section for more information on this), your password can be up to 72 characters. It's hard to remember that many, however.
- Always remember: Passwords are case sensitive. Use a combination of upper- and lowercase letters in nontypical locations. It's OK to start your password with a capital letter, but throw some in the miDdLe too.
- Always use a combination of letters, numbers, and special characters. T3st1n@ is much better than te$ting.
The trick is not getting too comfortable with one password, or endless variations on a single theme. Even if you've got what you think is a bulletproof password, come up with a couple more. You just never know when a password-cracking script will get lucky.
User Authentication Settings with Pluggable Authentication Modules (PAM)
To quote the Linux-PAM System Administrator's Guide:
- It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an application may use to request that a user be authenticated.
In short, Pluggable Authentication Modules (PAM) extend the traditional Unix/Linux principle of doing one thing well. If an application needs to confirm (authenticate) a user, they can access the PAM libraries, instead of creating their own mechanism to do so.
The YaST Local Security Settings serve as the GUI front end for PAM. Go to Security and Users in YaST and then to Local Security. On the first page, you can choose from three default configurations: Home Workstation (a standalone personal or family computer not connected to the Internet), Networked Workstation (for networked computers, either with other machines on a local area network or with an Internet connection), or Network Server (the highest level of security). Chances are you will want the Networked Workstation option as a base. You can certainly leave things at that, but perhaps you want to tweak the settings.
Table 19.1 shows the differences in settings between the three default configurations.
Table 19.1. YaST Default Security Settings
|
Setting |
Level 1 Home Workstation |
Level 2 Networked Workstation |
Level 3 Network Server |
|
Checking New Passwords |
N |
Y |
Y |
|
Test for Complicated Password |
N |
N |
N |
|
Password Encryption Method |
Blowfish |
Blowfish |
Blowfish |
|
Minimum Acceptable Password Length |
5 |
5 |
6 |
|
Minimum Days to Password Change Warning |
0 |
1 |
1 |
|
Maximum Days to Password Change Warning |
99999 |
99999 |
99999 |
|
Days Before Password Expires Warning |
7 |
14 |
14 |
|
Ctrl+Alt+Del |
Reboot |
Ignore |
Ignore |
|
Shutdown Behavior |
All Users |
Only Root |
Only Root |
|
Delay After Incorrect Login Attempt |
1 |
6 |
3 |
|
Record Failed Logins |
Y |
Y |
Y |
|
Record Successful Logins |
Y |
Y |
Y |
|
Allow Remote Graphical Login |
N |
N |
N |
|
User ID Limitations |
1000–60000 |
1000–60000 |
1000–60000 |
|
Group ID Limitations |
1000–60000 |
1000–60000 |
1000–60000 |
|
Setting of File Permissions |
Easy |
Easy |
Secure |
|
User Launching UpdateDB |
Root |
Nobody |
Nobody |
|
Current Dir in Root's Path |
Y |
N |
N |
|
Current Dir in Path of Regular Users |
Y |
N |
N |
|
Enable Magic SysRq Keys |
N |
N |
N |
To change any of these defaults, you must click Details. YaST will walk you through the four pages of settings.
Some of these items may be perplexing. Read the helpful descriptions for each setting in the left pane of the screen when deciding how to handle each setting. The following list looks at a few:
- Password Plausibility Test—Enforces some of the rules for passwords suggested in the previous section.
- Password Encryption Method—There are three. By default, YaST chooses the Blowfish method at all three levels. This open-source algorithm was developed by security expert Bruce Schneier in 1993 and is faster and safer than the other two choices. Data Encryption Standard (DES) encryption was developed by the U.S. government in the mid-1970s and was the original free encryption algorithm. Passwords using this method are limited to eight characters. MD5 transforms a data string of any length into a shorter, fixed-length value. No two strings of data will produce the same hash value.
- UpdateDB—This program runs daily and works with the locate program to quickly find files. If Root runs UpdateDB, all files are updated. If the system user Nobody runs UpdateDB, only files that Nobody has access to are updated.
- Magic SysRq—The SysRq key is usually located next to the Scroll Lock key on your keyboard. When used with the Alt key, it can permit an orderly shutdown of a crashed system. The bad news is that someone with remote access to your healthy system can bring it down instantly. Given the rarity of system crashes, it is better to leave this disabled.