(Ubuntu: Lesson 6)

{ Enforcing Strong Passwords using login.defs and common-password }

Section 0. Background Information

Background information.
- The following lab will show you how to enforce strong passwords using /etc/login.defs, /etc/pam.d/common-password, pam_cracklib.so, and pam_unix.so.
Prerequisite
- Ubuntu: Lesson 1: Installing Ubuntu Desktop 12.04 LTS
Lab Notes
- In this lab we will how to do the following:
  1. We will set the password maximum age.
  2. We will set the maximum number of day a password may be used before the next password reset.
  3. We will set the minimum number of days allowed between password changes.
  4. We will force passwords to contain uppercase, lowercase, digits and special characters.
  5. We will keep track of password histories.
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.

Section 1: Start Ubuntu 12.04

Start Ubuntu 12.04
- Instructions
  1. For Windows 7
    - Start --> All Programs --> VMware Player
  2. For Windows XP
    - Starts --> Programs --> VMware Player
Verify Virtual Machine Settings.
- Instructions
  1. Click on Ubuntu 12.04
  2. Click on Edit virtual machine settings
Configure Network Adapter
- Instructions
  1. Click on Network Adapter
  2. Click on the Bridged Radio Button
  3. Click on the Close Button
Start the Ubuntu 12.04 VM
- Instructions
  1. Click on Ubuntu 12.04
  2. Click on Play virtual machine

Section 2: Login to Ubuntu

Change to Gnome Classic
- Instructions:
  1. Click on the Circle
Select Gnome Classic
- Instructions:
  1. Double Click on GNOME Classic
Login to Server
- Instructions
  1. User: Student
  2. Password: Please supply the student password.

Section 3: Become Root and Verify Network Connection

Start up a Terminal
- Instructions
  1. Click on the Terminal
Become Root
- Instructions
  1. sudo su -
  2. Supply the student password.
Verify you have a network connection
- Instructions
  1. ifconfig -a
    - eth0 is the name of my interface.
    - 192.168.1.103 is my network IP address.
- Note(FYI):
  - If you do not have an DHCP IP Address try the following:
    - dhclient
      - OR
    - /etc/init.d/networking restart

Section 3: Backup /etc/login.defs

Backup /etc/login.defs
- Instructions
  1. cd /etc
  2. ls -l login.defs
  3. cp login.defs login.defs.BKP
  4. ls -l login.defs*

Section 4: Configure Password Rules in /etc/login.defs

Open /etc/login.defs
- Instructions
  1. vi login.defs
Search for PASS_MAX_DAYS
- Instructions
  1. Press the "/"
    - This will put you in search mode.
  2. Type "^PASS_MAX"
    - The "^" character means "start with".
    - So, in this case we are telling the vi editor to search for the first instance of the phrase that starts with PASS_MAX.
Change PASS_MAX_DAYS
- Note(FYI):
  - PASS_MAX_DAYS is the maximum number of day a password may be used before the next password reset.
- Instructions
  1. Arrow right to where your cursor is on the first 9 in the number 99999.
  2. Type cw to change word.
  3. Type 90
    - Typically, company security policies will require you to reset your password every 3 months.
  4. Press the <Esc> key
Change PASS_MIN_DAYS
- Note(FYI):
  - PASS_MIN_DAYS is the minimum number of days allowed between password changes.
  - This help prevent password reuse over a certain period of times.
- Instructions
  1. Arrow down to the line that starts with PASS_MIN_DAYS.
  2. Arrow to the right to where your cursor is on the "0".
  3. Type cw to change word.
  4. Type 1
Save login.defs
- Instructions
  1. Verify PASS_MAX_DAYS is set to 90
  2. Verify PASS_MIN_DAYS is set to 1
  3. Press the <Esc> key
  4. Type :wq! to save the file

Section 5: Install libpam-cracklib

Install libpam-cracklib
- Instructions
  1. apt-get install libpam-cracklib
  2. Do you want to continue? Y
Verify that libpam-cracklib is installed
- Instructions
  1. ls -ld /usr/share/pam-configs/cracklib

Section 6: Configure Password Length and Strength

Backup the file common-password
- Instructions
  1. cd /etc/pam.d
  2. cp common-password common-password.BKP
  3. ls -l common-password*
Open common-password
- Instructions
  1. vi common-password
Search for pam_cracklib
- Instructions
  1. Press the "/" key
    - This will put the vi editor into search mode.
  2. Type "pam_cracklib"
  3. Press the <Enter> key
View Search Results
- Instructions
  1. The cursor should now be on the "p" in the string pam_cracklib.so
  2. Press <Shift> and "a" at the same time
    - This will place vi in append mode with the cursor at the end of the current line.
  3. Press the <Space Bar> once
  4. Continue to next step
Working in Append Mode
- Instructions
  1. Your cursor should be a space after the phrase difok=3. (See Below).
  2. Continue to Next Step
Add Password Strength
- Instructions
  1. After the string difok=3, add the following variables:
    - ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
  2. Press the <Esc> key.
  3. Type :wq! to save file
- Note(FYI):
  - retry=3, the user will get three opportunities to enter the password before an error occurs.
  - minlen=8, the minimum length of the password must be at least 8 characters.
  - difok=3, there needs to be at least three differing characters between an old and new password for it to be accepted.
  - ucredit=-1, the password requires at least 1 uppercase character.
  - lcredit=-1, the password requires at least 1 lowercase character.
  - dcredit=-1, the password requires at least 1 numerical character.
  - ocredit=-1, the password requires at least 1 non-alpha numeric character.

Section 7: Set Up Password History

Navigate to the /etc/security directory
- Instructions
  1. cd /etc/security
Set up password history file
- Instructions
  1. cat /dev/null > opasswd
    - This creates an empty file named opasswd.
  2. chmod 600 opasswd
  3. chown root:root opasswd
  4. ls -l opasswd*
Open the common-password file
- Instructions
  1. cd /etc/pam.d/
  2. vi common-password
Search for pam_unix.so
- Instructions
  1. Press the "/" key
    - This will place the VI editor into search mode
  2. Type "pam_unix.so"
  3. Press the <Enter> key
View Search Results
- Instructions
  1. The cursor should be on the "p" for the string pam_unix.so
  2. Press <Shift> and "a" at the same time
    - This will place vi in append mode with the cursor at the end of the current line.
  3. Press the <Space Bar> once
  4. Continue to next step
View Search Results
- Instructions
  1. Place "remember=12", after the string sha512. Make sure there is a space between sha512 and remember=12.
    - remember=12, will store the last 12 passwords for each user in the /etc/security/opasswd file.
  2. Press the <Esc> key.
  3. Type :wq! to save the file.

Section 8: Proof of Lab

Proof of Lab
- Instructions
  1. grep "^PASS" /etc/login.defs
  2. grep "pam_cracklib.so" /etc/pam.d/common-password
  3. grep "pam_unix.so" /etc/pam.d/common-password
  4. date
  5. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Press both the <Ctrl> and <Alt> keys at the same time.
  2. Do a <PrtScn>
  3. Paste into a word document
  4. Upload to Moodle