Setting a password policy

Wed Jul 15 13:09:47 UTC 2009

> Date: Tue, 14 Jul 2009 15:47:03 +0300
> From: a bv <vbavbalist at gmail.com>
> Subject: Re: Setting a password policy
> To: General Red Hat Linux discussion list <redhat-list at redhat.com>
> Message-ID:
>       <525320ef0907140547x61f6ea79hde4dd7d49b88e2ed at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi
>
> I m trying to set password policies on my Redhat EL 3,4,5 boxes. I use
> the http://brandonhutchinson.com/wiki/Linux_Password_Policy link and
> also found your http://sial.org/howto/linux/pam_tally/ .
>
> For the /var/log/faillog part Ive found  that there is a already file
> at a Redhat 5 (with a size), but doesnt exits on a 4 box. So i created
> it on Redhat 4 as given, but the log file size is 0. Also when i try
> to cat or more the faillog file on 5 box which has a size, brings
> nothing.
> So how can i make the system log the failed attemps?
>
> Regards
>
> 2009/7/3, Daniel Carrillo <daniel.carrillo at gmail.com>:
> > 2009/7/3 a bv <vbavbalist at gmail.com>:
> >> Hi list,
> >>
> >> Im in a need of setting a password policy on some Redhat
> EL 3,4,5 x.
> >> Im giving the policy below and im asked to if this is
> possible and if
> >> how.
> >>
> >> -Passwords to change 90 days instead of 180
> >> -Password change must be forced by the system
> >
> > As root:
> > $> chage -M 90 user_login
> >
> >> -Password length must be at least 6 characters long
> >> -Last 3 passwords to be remembered by the system and dont
> let these to
> >> be used at the password change
> >> - When 6 logon attempt fails occur , the system to lock
> that ID/user
> >> -Complexity (optinional)
> >
> > This behaviour (and something else) is managed by pam modules:
> >
> >
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/De
ployment_Guide-en-US/ch-pam.html
> >
> > Hope this helps.
> >
> > --
> > redhat-list mailing list
> > unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 14 Jul 2009 14:57:28 +0200
> From: Daniel Carrillo <daniel.carrillo at gmail.com>
> Subject: Re: Setting a password policy
> To: General Red Hat Linux discussion list <redhat-list at redhat.com>
> Message-ID:
>       <a8dd8ba40907140557u2dc07632y2ee5a5e531fb4218 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> 2009/7/14 a bv <vbavbalist at gmail.com>:
> > Hi
> >
> > I m trying to set password policies on my Redhat EL 3,4,5
> boxes. I use
> > the http://brandonhutchinson.com/wiki/Linux_Password_Policy link and
> > also found your http://sial.org/howto/linux/pam_tally/ .
> >
> > For the /var/log/faillog part Ive found ?that there is a
> already file
> > at a Redhat 5 (with a size), but doesnt exits on a 4 box.
> So i created
> > it on Redhat 4 as given, but the log file size is 0. Also when i try
> > to cat or more the faillog file on 5 box which has a size, brings
> > nothing.
> > So how can i make the system log the failed attemps?
>
> I'm not sure to understand you. But, you can see the failed logs in
> /var/log/secure
>
> Hope this helps.
>
>
>
> ------------------------------
Most everything password is handled by PAM.  Each version of RHEL has a different version of PAM.  As with most software, the features changed over time.  More than likely the version of PAM for RHEL3 will not do most of what you want.  In RHEL4 you have to manually set up the pam tally features including putting the faillog file in /var/log.  Once the pam tally entries are made and successfully tested, there will be entries in the faillog file.  While /var/log/secure and /var/log/messages will report on failed login attempts, the /var/log/faillog file is where the locking of the accounts is managed.  If you set it up to lock an account after 5 failed attempts, it's here that information is kept and will lock the user account.  It is here that you unlock the user account.  The faillog file is not an ascii text file and cannot be managed as such.  There is a PAM Red Hat list where the archives speak to much of your questions with details and you will receive more informed responses to your posts.

Patti Clark - RHCT, GSEC
Sr. Linux/UNIX System Administrator
Office of Scientific and Technical Information