Set a Good Password Policy On SuSE Linux
Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.
Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.
The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.
Here you go: SuSE Linux Password Policy.
Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils
/etc/pam.d/passwd auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so per_user deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so
/etc/pam.d/sshd
auth required pam_listfile.so item=user sense=deny file=/etc/login.deny auth required pam_tally.so onerr=fail no_magic_root auth required pam_unix2.so auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/login
auth requisite pam_unix2.so nullok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so auth required pam_tally.so onerr=fail no_magic_root account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/su
auth sufficient pam_rootok.so auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so debug
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
How To Check Which Port Is Listern or Open on Linux
For some security reason you may configure SSH or any other protocol using different kind of port number on Linux server. Sometimes it’s important to know which ports are actually listern or open to the system network, it may open for network instruction or hacking.
Basically there are few methods to see which ports are open on Linux.
Option 1:
Check /etc/services file
planetmy:/ # cat /etc/services | grep xxx (xxx = port number)
If the command return no output mean no port configure to listen on the particular port number. For port SSH/22, you should be able to see:
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
Option 2:
Use netstat command - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
planetmy:/ # netstat -nan | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7110/sshd
If the command output return ‘LISTEN’, mean the particular port is open or listen on network.
Option 3:
use lsof command - list open files
planetmy:/ # lsof -i -n -P|grep 631
cupsd 17934 lp 0u IPv4 56540196 TCP *:631 (LISTEN)
cupsd 17934 lp 2u IPv4 56540197 UDP *:631
Read more
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
How To Force User Change Password At Next Login on Linux
My previous post talked about How To Show Linux User Password Expires. I would like to share “How to force user change password at next login on Linux“.
Option 1:
passwd command - change user password
Use the following syntax:
passwd -e
- -e Force the user to change password at next login
Setting password expire for user test
planetmy:~ # passwd -e test
planetmy:~ # chage -l test
Minimum: 0
Maximum: 90
Warning: 7
Inactive: -1
Last Change: Unknown, password is forced to change at next login
Password Expires: Never
Password Inactive: Never
Account Expires: Sep 11, 2008
Login as user ‘test’
login as: test
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
Password change requested. Choose a new password.
Old Password:
Using keyboard-interactive authentication.
New Password:
Using keyboard-interactive authentication.
Reenter New Password:
Last login: Thu Sep 11 10:13:22 2008 from 192.168.1.102
test@planetmy:/>
Note: This is apply to SuSE Linux 9 and 10 but NOT Red Hat Linux.
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
Why Google Chrome not support Linux or Mac yet
As you know Google Chrome browser was launched few day back. According to Google, Google Chrome is a open source browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier and only available for Windows XP and Vista.
Why? Why Google Chrome not support Linux or Mac yet? Why open source browser not working on open source operating system? In fact, Google engineers try to tell us they are working hard building Google Chrome versions for Mac and Linux too. But when and why?
Personally I would said Google may have following reasons that not release Google Chrome for Linux or Mac for the time being:
- Pre-install plugin problem for Linux especially different kind of Linux distrobution, even it’s happen to Firefox browser. Type about:plugins in your Google Chrome browser and you will see more details.
- Linux or Mac desktop market share still low and majority are Microsoft Windows.
Possibly Related Posts:
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest
- Setup a Linux Highly Availability NFS servers
How to Disable CTRL-ALT-DEL shutdown key on Linux server
[Ctrl]-[Alt]-[Delete] is a shortcut key to shutdown/reboot the server without having to log on but sometimes it will be a problem by accidently pressing the [Ctrl]-[Alt]-[Delete] key in the production Linux server console. In order to prevent the use of [Ctrl]-[Alt]-[Delete] key combination on a production server, we MUST disable it.
Basically it is configured using /etc/inittab file. This is the main configuration file of /sbin/init, which is executed by the kernel on startup. It describes what scripts are used for the different run-levels. Edit /etc/inittab file and comment (or remove it) ctrlaltdel entry.
Edit configuration file:
# vi /etc/inittab
Search for line:
ca::ctrlaltdel:/sbin/shutdown -r -t 4 now
Remove the line or comment out the above line by putting a hash mark (#) in front of it:
#ca::ctrlaltdel:/sbin/shutdown -r -t 4 now
Save the file and exit to shell prompt:
:wq!
Possibly Related Posts:
- Boot gOS from USB Drive Experience
- Argument list too long
- RSS Feed Submissions
- Geo Positions
- Interesting about Google Suggest