password management policy 2

[7280]

Hi,
I need to implement a password management policy for all users . The policy regards min/max password length, expiration time and so on...
Do I have to manually modify /etc/security/user file or there's a command that does it?
I want to exclude root from this policy. I'm afraid that if password expires and then account is locked I then face problems with crontab schedules and nfs exported directories.

Thanks in advance.

 

[Breslau]

edit the default stanza to establish a baseline for all your users. update individual users, such as root thru smit for the exceptions to the default rule(s).

 

[columb]

If you're not happy hacking such an important file you can use

chsec -f /etc/security/user -s default -a attr=value

An example from my box hardening script is

###################
#First set defaults
###################
cp /etc/security/user /etc/security/user.$d_string
chsec -f /etc/security/user -s default \
     -a maxage=13 \
     -a maxrepeats=2 \
     -a minalpha=5 \
     -a minother=1 \
     -a mindiff=3 \
     -a histexpire=26\
     -a histsize=8 \
     -a minage=0 \
     -a maxexpired=4 \
     -a minlen=8 \
     -a pwdwarntime=14 \
     -a admin=false \
     -a login=true \
     -a daemon=true \
     -a rlogin=true \
     -a sugroups=ALL \
     -a ttys=ALL \
     -a auth1=SYSTEM \
     -a auth2=NONE \
     -a umask=\027

Ceci n'est pas une signature
Columb Healy

 

[7280]

Thanks for the past reply.
The users without password (the ones with * in /etc/passwd) will not have these policies since they don't have password right?
I mean users snapp, nuucp, lp, ipsec, invscout, sshd and so on..
Also do I have to create new stanzas without these policies for users sys, nobody and guest?

Thanks again.

 

[columb]

The policy rules apply when the user logs in and/or changes password. As such this will not affect the users you list. However, from the same box hardening script I have

################
# remove logins for admin type users
################
for user in daemon lpd sys adm nobody bin
do
  chuser login=false rlogin=false $user
done

That helps keep the auditors off my back

Ceci n'est pas une signature
Columb Healy

 

[7280]

Yeah auditors... this is my problem
But login and rlogin apply only for telnet/rlogin commands, right? They don't apply for ssh connections.
I modified rlogin=false for root user but I was able to connect with ssh. I had to modify PermitRootLogin parameter in sshd_config file in order to deny remote connection for root.
I think this applies also for these users.. am I wrong?

Really thanks again.

 

[columb]

I'm not so hot on ssh but if their passwords are not set then they can't log on.

I don't think the PermitRootLogin flag affects the other users. Can anyone else out there help?

Ceci n'est pas une signature
Columb Healy

 

[Breslau]

I don't think the PermitRootLogin flag affects the other users. Can anyone else out there help?"

that's correct.

UseLogin has some effect on the authentication process when using ssh. i believe turning this on would make the changed password pass through AIX's rules that are set up for the machine. we're using another method, so i'm not 100% sure on that...

 

[7280]

I'm not sure about this UseLogin.
From sshd_config manual:
UseLogin
Specifies whether login(1) is used for interactive login ses-
sions. The default is ``no''. Note that login(1) is never used
for remote command execution. Note also, that if this is en-
abled, X11Forwarding will be disabled because login(1) does not
know how to handle xauth(1) cookies. If UsePrivilegeSeparation
is specified, it will be disabled after authentication.

I'm not sure that modifying this helps.

Thanks again.

 

[7280]

Hi,
let's go back to the original question.
I implemented policy management as suggested by Columb, so I ran:
chsec -f /etc/security/user -s default \
-a maxage=4 \
-a maxrepeats=2 \
-a minalpha=5 \
-a minother=2 \
-a mindiff=3 \
-a histexpire=52 \
-a histsize=13 \
-a minage=1 \
-a maxexpired=2 \
-a minlen=8 \
-a pwdwarntime=7 \
-a sugroups=staff \
-a loginretries=3

Now I want the user root never expires, so I issued (after previous command)
chuser expires=0 maxexpired=-1 minage=0 root

I did also this command for my user (in order to test) but when I login it shows me that my password will expire:
[compat]: 3004-328 Your password will expire: Thu Nov 9 16:12:07 NFT 2006

Any ideas? I have application passwords that should never expire?
From the /etc/security/user file it shows that setting expires=0:
If 0 the account does not expire
But this doesn't seem to be true. Also expires=0 is set by default in the default stanza.
Any ideas?

Thanks again

 

[7280]

I tried also to modify expires in order to let password expire in 2038.
The command goes fine, but when I try to login I receive message that password is going to expire tomorrow.
Command used is:
chuser expires=1231235937 myuser
This should mean that password is going to expire: 31/12/2037 at 11:59 pm.

Thanks again.

 

[RodKnowlton]

The 'expire' attribute designates when the account expires, not the passwd. In your case, the account would start behaving as if locked=true on 31/12/2037 @ 23:59, regardless of the state of the password.

Also, you want to set maxage=0 to keep a user from ever expiring, not minage.

Oh, and root is exempt from maxexpired's application. root's password can expire, but it can't be locked out because of it. Same thing goes for failed logins.

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

Wish you could view posts with a fixed font? Got Firefox & Greasemonkey? Give yourself the option.

 

[7280]

You're right, I also found that maxage was the correct setting.
About root, if account is locked does crontab scripts work normally?
Also I have these aix systems in HACMP cluster. In case of failure will HACMP be able to switch if root account is locked?

Thanks

 

[sbrews]

Columb,

Would you consider sharing your box hardening scripts?

scott