Advertisment

Linux Password Policies

author-image
PCQ Bureau
New Update

The login names used to log in to a system are no big secret, but the

passwords should be chosen such that they are not easy to guess. Efficient

policies for constructing passwords talk about including numbers, using a

mixture of lower and upper cases, etc, when selecting a password. In this

article, we’ll talk about some of the password policies for Linux and how to

make it more secure.

Advertisment

How safe are Linux passwords?

All Linux passwords are stored in a single file name passwd

in /etc directory. This file stores the information in the following format:

login name:encryted password:UID: GID:GCOS:home

directory:shell

Advertisment

The password in this file is encrypted using a package called

crypt, which uses the DES (Digital Encryption Standard) algorithm to do it. The

UID is a numeric ID given to each user. For root it is 0. GID is also a number,

which is the primary group the user belongs to. For root it is 0. The GCOS field

contains information about the user such as his name, organization, and phone

number. This may or may not be filled. The home directory is generally

/home/ or /root for the root user. The shell is the default

shell (bash shell in RedHat) the user is dropped in after login.

The passwd file must have the read rights for everyone. This

is because the login process for all users as well as some of the applications

that they run consults it. Unfortunately, it also means that anyone can open

this file in a simple text editor like vi and read it. This will reveal all

information like login names, group names, and most importantly the password.

Though it’s encrypted, it’s not safe from what are called dictionary

attacks. These can be performed by utilities like Crack. In a dictionary attack,

a number of passwords are generated using different permutations and

combinations and encrypted using the same cryptographic algorithm as the target,

which is DES in this case. The encrypted password can then be compared again

with the password in the /etc/passwd (since it is readable). If they match, then

the initial unencrypted word is the password. If this has started to worry you,

then calm down, because its solution has also been there for a long time. It’s

used in most Linux distributions, including RedHat, and is called the shadow

package.

The shadow suite

Advertisment

The shadow suite is installed by default in RedHat. It

removes the passwords from /etc/passwd and places them in a file called shadow

in the /etc directory. The password field of /etc/passwd contains an

"x" instead. The new file is readable only by the root. The shadow

suite also consists of a number of utilities and commands to add/delete users

and do password aging. The file has the following format:

user name:encrypted password:last modified:min change days:max change

days:warn days:disable days:disable time:reserved

Here, the ‘last modified’ field shows the number of days

since January 1, 1970 that the password was last modified. The ‘min change’

field indicates the number of days before which the user cannot modify his

password. This can be given a 0 value, which means that users can modify their

passwords anytime. The ‘max change’ indicates the number of days after which

a password has to be modified. A user will get a message after the specified

number of days to the password after logging in.

Advertisment

With ‘warn days’, you can specify how many days in

advance should a warning message be flashed to a user before his password

expires. ‘Disable days’ specifies the number of days after which the account

will be locked from the day the password has expired. ‘Disable time’ is the

same as disable days but here the number of days is counted from January 1,

1970. As you can see these additional fields can be used to impose efficient

password policies on users. It’s a good practice to warn or force users to

change their passwords periodically. Let’s use the shadow utilities to add a

user ‘shekhar’ and impose password aging on his account.

The Indian scenario

There are many who would like to believe

that Open Source software is ideally suited for a resource-challenged country like India.

Those who do so, miss the point that lies at the core of the Open Source movement. The

success of Open Source software has very little to do with the fact that it’s mostly

(though not always) without cost. While many Open Source users are attracted to it because

it’s free, almost always, they stay with it for a much better reason—Open Source

products are also better. A quick look at the list of Indian corporates who’ve

embraced Open Source solutions will drive home a pertinent point—not one of them is

on the list because they couldn’t afford a commercial solution. Free beer gone flat

never attracted anyone.

Advertisment

As one regular poster to the Linux-India

mailing list said: "To believe that cost is an issue with Open Source, is to

misunderstand the etymological roots of the word "Free". Indians are Free, but

Indians are not cheap". He wasn’t just waving the tricolor. He was talking

reason—pure, sound, technical reason. That he was economically right too, was

incidental.

The success of the Open Source development

model derives from the opportunities provided by the Internet. It’s commonly

acknowledged that cheap (free) Internet access in American (not to forget Finnish)

universities was the fuel that drove the movement. The corollary to this is also sadly,

true—since the bulk of Indian universities took an inordinately long time to get

connected, the list of native Indian Open Source products while growing, still remains

miniscule. What little (but commendable) development that exists here is initiated by

commercial firms porting popular Indian applications to Linux (Tally is a superb example).

The message is clear—as you sow Internet access, so shall you reap Open Source.

It’s time to reverse the trend now.

And fast. Several institutions and universities, notably the IIIT (Hyderabad), as well as

small universities like the Goa University are setting up infrastructure and facilities

for students to jumpstart local Open Source development. Short-term training

programs—like the recent ones on the Linux kernel at the IIIT and on Open source for

corporates at Goa University—are first lunges in clawing our way back into the race.

The list of speakers and resource persons at these two programs reads like a who’s

who of Indian Open Source gurus. The Advanced Center for Informatics (ACI), set up at Goa

University with generous support from the National Informatics Center (NIC) of the

Government of India, aims to promote development, and disseminate support and training for

Open Source products in India. With a firm and steady eye on the economic opportunities

presented by Open Source, the ACI even plans to set up an Open Source incubator for

student projects to help them raise venture capital. It always helps to have a bank next

to a lab.

Advertisment