Set a Good Password Policy On SuSE Linux
Sometimes setting a good password policy is not easy and you may receive many complaint from end user especially non-IT related users. Normally they like password = password = abc123 as easy as possible.
Personally I don’t like pam_cracklib and I would preferred pam_passwdqc.
The pam_passwdqc module is a simple password strength checking module for PAM. In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated ones.
The pam_passwdqc module provides functionality for only one PAM management group: password changing. In terms of the module-type parameter, this is the ”password” feature.
Here you go: SuSE Linux Password Policy.
Operating System: SLES 9
Required RPM: pam-modules, pwdutils, openssh and coreutils
/etc/pam.d/passwd auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so per_user deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so
/etc/pam.d/sshd
auth required pam_listfile.so item=user sense=deny file=/etc/login.deny auth required pam_tally.so onerr=fail no_magic_root auth required pam_unix2.so auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/login
auth requisite pam_unix2.so nullok auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so auth required pam_tally.so onerr=fail no_magic_root account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so use_first_pass use_authtok password required pam_unix2.so use_first_pass use_authtok session required pam_unix2.so none session required pam_limits.so
/etc/pam.d/su
auth sufficient pam_rootok.so auth required pam_unix2.so nullok account required pam_unix2.so account required pam_tally.so deny=5 no_magic_root reset password required pam_passwdqc.so retry=5 ask_oldauthtok check_oldauthtok min=disabled,8,8,8,8 max=25 password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so debug
Possibly Related Posts:
- How to add Dell PERC Drivers into VMware Converter Cold Clone ISO
- Top 10 Free Anti Virus
- How to Install Webmin on OpenFiler
- Microsoft SQL 2008 Agent not starts
- VMware Workstation 7 Serial Key
SLED and SLES 11 Beta Testing Opportunity
Act Now!
Beta Testing Opportunity: SLED/SLES 11
The Novell Beta Program is accepting applications to beta test SUSE Linux Enterprise software.
The beta testing will run from September until February. If you are interested in applying for the beta, complete an application:
All applications must be submitted by Sunday, September 7.
Basically you’re required to fill in a survey and enter your detail for further approval.
Possibly Related Posts:
- MSC Malaysia Fully Sponsored 3D Animation Course
- 2009 Metrics
- lppasswd: Unable to open passwd file: Permission denied
- Missing /var/log/lastlog
- Happy Deepavali 2009
Using Active Directory for SuSE Linux 10 Authentication
My previous post about How to Authenticate to Active Directory on SuSE Linux 9 & How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory talked about using Microsoft Active Directory(AD) for Linux authentication. Yes! Linux & Microsoft can be friends.
Now we talk about SuSE Linux 10 and Microsoft AD authentication.
Basically everything are same as SLES 9 except PAM configurations.
Note: The setup running on SLES10 SP2 (It should be work on SP1)
Below are PAM configuration for SLES10:
/etc/pam.d/common-password
password sufficient pam_winbind.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_authtok
/etc/pam.d/common-account
account required pam_unix2.so
/etc/pam.d/common-session
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
/etc/pam.d/common-auth
auth required pam_env.so
auth required pam_unix2.so
/etc/pam.d/passwd
auth include common-auth
account include common-account
password include common-password
session include common-session
/etc/pam.d/sshd
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
/etc/pam.d/login
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
/etc/pam.d/su
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so
/etc/pam.d/sudo
auth include common-auth
account include common-account
password include common-password
session include common-session
/etc/security/pam_unix2.conf
auth: call_modules=winbind
account: call_modules=winbind
password: call_modules=winbind
session: none
Possibly Related Posts:
- How to add Dell PERC Drivers into VMware Converter Cold Clone ISO
- Top 10 Free Anti Virus
- How to Install Webmin on OpenFiler
- Microsoft SQL 2008 Agent not starts
- VMware Workstation 7 Serial Key
How To Disable ipv6 on SuSE Linux
For some strange reason, ipv6 is switched ON by default in SuSE Linux.
To check whether you are currently running ipv6, run the following command as root:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0F:1F:89:8F:D5
inet addr:192.168.1.100 Bcast:140.171.243.255 Mask:255.255.254.0
inet6 addr: fe80::20f:1fff:fe89:8fd5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33386388 errors:0 dropped:0 overruns:0 frame:0
TX packets:2947979 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2211978470 (2109.5 Mb) TX bytes:380978644 (363.3 Mb)
Base address:0xdf40 Memory:feae0000-feb00000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:895 errors:0 dropped:0 overruns:0 frame:0
TX packets:895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76527 (74.7 Kb) TX bytes:76527 (74.7 Kb)
If you have lines containing inet6 as above, then your machine IS running ipv6.
How to disbling ipv6 on SuSE Linux
To disable ipv6 completely, run the following commands as root:
# echo “alias net-pf-10 off” >> /etc/modprobe.conf.local
# echo “alias ipv6 off” >> /etc/modprobe.conf.local
Restart the machine.
Read more
Possibly Related Posts:
- How to add Dell PERC Drivers into VMware Converter Cold Clone ISO
- Top 10 Free Anti Virus
- How to Install Webmin on OpenFiler
- Microsoft SQL 2008 Agent not starts
- VMware Workstation 7 Serial Key
How to Authenticate to Active Directory on SuSE Linux 9
My previous post about How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory which I believed helpful and getting a lot of traffic from Google search engine.
The following article “How to Authenticate to Active Directory on SuSE Linux 9” will focus on how to join AD domain & authentication using SLES9 SP3 running on my VM machine.
Basically the setup details are:
SLES9: 192.168.1.10
Windows 2003 Server: 192.168.1.1
Required RPM: heimdal-lib(kerberos), samba-client, samba-winbind, samba, sudo, xntp, glibc, pwdutils, openssh.
A. Time synchronization
Ensure Clock synchronization between your SLES9 and AD. Type #rcxntpd start
B. Kerberos setup
Edit /etc/krb5.conf
[libdefaults]
default_realm = AD.YOURDOMAIN.COM
clockskew = 300
[realms]
AD.YOURDOMAIN.COM = {
kdc = ad01.ad.yourdomain.com
default_domain = ad.yourdomain.com
admin_server = ad01.ad.yourdomain.com
}
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.ad.yourdomain.com = AD.YOURDOMAIN.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
try_first_pass = true
}
Note: Be careful here. It’s CASE SENSITIVE and please make sure you can PING each others.
C. Samba setup
Edit /etc/samba/smb.conf
[global]
winbind separator = +
winbind cache time = 10
winbind use default domain = yes
workgroup = ADYOUDOMAIN
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = AD.YOURDOMAIN.COM
security = ADS
template homedir = /home/%U
template shell = /bin/bash
password server = server.example.com
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n
Retype*new*password*%n\n*password:*all*authentication*tokens*updated*successfully
Pam password change = Yes
The example show as above is not complete. Please focus on realm and security.
Read more
Possibly Related Posts:
- How to add Dell PERC Drivers into VMware Converter Cold Clone ISO
- Top 10 Free Anti Virus
- How to Install Webmin on OpenFiler
- Microsoft SQL 2008 Agent not starts
- VMware Workstation 7 Serial Key