Scribd
Upload
47 views2 pages

Techskills Linuxsecurity 1 3 Auditing User Passwords

This document discusses techniques for auditing and enforcing strong user passwords in Linux. It describes how to set password policies that expire passwords after a certain number of days and warn users before expiration using chage and /etc/login.defs. It also explains how to require complex passwords using the /etc/security/pwquality.conf file and criteria like length, uppercase/lowercase letters, numbers, and special characters. Finally, it provides instructions for using John the Ripper to test password strength through a brute force attack on the hashed passwords.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
47 views2 pages

Techskills Linuxsecurity 1 3 Auditing User Passwords

This document discusses techniques for auditing and enforcing strong user passwords in Linux. It describes how to set password policies that expire passwords after a certain number of days and warn users before expiration using chage and /etc/login.defs. It also explains how to require complex passwords using the /etc/security/pwquality.conf file and criteria like length, uppercase/lowercase letters, numbers, and special characters. Finally, it provides instructions for using John the Ripper to test password strength through a brute force attack on the hashed passwords.

Uploaded by

DDDD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Linux Security Techniques - 1.

0 Monitoring and Auditing Security

============================================================

Filename: techskills-linuxsecurity-1-3-auditing_user_passwords
Title: Auditing User Passwords
Subtitle: Linux Security Techniques

1.3 Auditing User Passwords


How can we set a password policy for our users?

Can be set individually using chage


Display current info
chage -l jdoe
Define password expiration policy
chage <username>
Modify policy
chage -m <mindays> -M <maxdays> -E <expiredate> -W <warndays> jdoe
chage -M 90 -m 1 -W 7 jdoe

Can we make that affect all users?

Can be set globally by editing /etc/login.defs


Only applied at account creation
Not retroactive
Settings
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
PASS_MIN_LEN 5

What about requiring a complex password?

Password complexity
/etc/security/pwquality.conf
minlen- Password length (in credits)
lcredit - Lower case characters
ucredit - Upper case characters
ocredit - Other characters
dcredit - Digits
Minlen defines "credits" not length
1 credit for each character
Additional credits for other criteria
Use a -1 to indicate one or more of a character
Does not count for credits
Example: minlen=8 lcredit=1 ucredit=1 ocredit=1 dcredit=1
Password: 12345678
Passes
One credit for each character (+8)
One credit for each number (dcredit) (+8)
Adds up to 16 credits
Example: minlen=8 lcredit=1 ucredit=-1 ocredit=-1 dcredit=-1
Password: 12345678
Fails
One credit for each character (+8)
Penalty for missing an upper case character (-1)
Penalty for missing a lower case character (-1)
Penalty for missing a special character (-1)
Adds up to 5
Password: P@ssw0rd
One credit for each character (+8)
No penalty for missing an upper case character (+0)
No penalty for missing a lower case character (+0)
No penalty for missing a special character (+0)
Adds up to 8

How do we know if our users are actually using a strong password?


Passwords are stored as non-reversible hashes
Hashed passwords can't reveal complexity
echo -n 1234567890 | sha256sum
The only way to test is a brute force attack
John the Ripper
Open source password utility
Performs a dictionary attack followed by permutations
Using the tool
1. Install John the Ripper
yum install -y wget make gcc
wget http://www.openwall.com/john/j/john-1.8.0.tar.gz
tar -xvzf ./john-1.8.0.tar.gz
cd ./john-1.8.0/src
make clean linux-x86-64
make for full list
cd ../run
./john --test
2. Export your hashed passwords to a text file
./unshadow /etc/passwd /etc/shadow > users.txt
3. Cleanup unnecessary records from the file
vi ./users.txt
Delete any line with no password (!! or *)
:g/!!/d
:g/:\*:/d
4. Run the attack
./john ./users.txt

You might also like