By default, Sendmail is configured to only accept connections from localhost (127.0.0.1). To allow connections from ALL hosts, please do the following:
Note: This will setup Sendmail to allow connections from ALL IP's and all interfaces on the machine.
Install the package with the following option # up2date sendmail-cf
Edit /etc/mail/sendmail.mc and change the following line:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
To look like the following (removing the localhost restrictions):
DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl
Save the file.
Execute the following command to rebuild the Sendmail files: make -C /etc/mail
Restart Sendmail with: service sendmail restart ...
Wednesday, April 2, 2008
How do you setup cyrus for POP3 to work with Sendmail with Red Hat Enterprise Linux 4?
All of the command provided are required to run locally. We recommend that you back-up any files that you will edit, before editing them. For example, us the cp (copy) command to save an instance of the file before you edit:
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak
To begin, first run:
service saslauthd status
service cyrus-imapd status
service sendmail status
To setup cyrus, leave /etc/imapd.conf as default from the RPM package. For /etc/cyrus.conf leave as default except for the following: # UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
# imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
# sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}
Note: You will need imap even if you are not planning on running an imap server.
Next, set the password for cyrus:
passwd cyrus
Set the saslauthd password: saslpasswd -c cyrus
su to the cyrus user and execute: /usr/lib/cyrus-imapd/mkimap
Add a user with both passwords: useradd testuser
saslpasswd -c testuser
Now restart or start the services and turn them on to start at boot time: service saslauthd restart
service cyrus-imapd restart
service sendmail restart
service xinetd restart
chkconfig saslauthd on
chkconfig cyrus-imapd on
chkconfig sendmail on
You might need to reboot to allow cyrus to take ownership of the port.
Login in as cyrus to cyrus-imap:
cyradm --user cyrus localhost
You can type help for more information. The prompt should also change: localhost.localdomain> help
Now make the users mailbox. Note the "user." must come before the username: localhost.localdomain> cm user.testuser
You can now exit: localhost.localdomain> quit
You can now test the user: telnet localhost 110
the login:
user testuser
pass test
You should see:
+OK Name is a valid mailbox
+OK Mailbox locked and ready
You now have cyrus working correctly. The mail box should show up:
/var/spool/imap/t/user/
You will now need to set Sendmail up to receive mail and send it to cyrus. Edit the configuration file /etc/mail/sendmail.mc and add this line to the bottom: dnl MAILER(smtp)dnl
dnl MAILER(procmail)dnl
define(`confLOCAL_MAILER', `cyrus')
MAILER(`cyrus')
If you want Sendmail to be able to receive mail from other places then itself, change this line from: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnlto dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnlNext, execute: # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
You will then need to restart Sendmail: service sendmail restart
You can test, by doing: # mail testuser@localhost
Subject: test
test
.
#make sure you put the ?.? at the end of the email.
The mail should show up in: /var/spool/imap/t/user/testuser/ and you should be able to check it with any local POP3 client
cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.bak
To begin, first run:
service saslauthd status
service cyrus-imapd status
service sendmail status
To setup cyrus, leave /etc/imapd.conf as default from the RPM package. For /etc/cyrus.conf leave as default except for the following: # UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=5
# imaps cmd="imapd -s" listen="imaps" prefork=1
pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
# sieve cmd="timsieved" listen="sieve" prefork=0
# these are only necessary if receiving/exporting usenet via NNTP
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}
Note: You will need imap even if you are not planning on running an imap server.
Next, set the password for cyrus:
passwd cyrus
Set the saslauthd password: saslpasswd -c cyrus
su to the cyrus user and execute: /usr/lib/cyrus-imapd/mkimap
Add a user with both passwords: useradd testuser
saslpasswd -c testuser
Now restart or start the services and turn them on to start at boot time: service saslauthd restart
service cyrus-imapd restart
service sendmail restart
service xinetd restart
chkconfig saslauthd on
chkconfig cyrus-imapd on
chkconfig sendmail on
You might need to reboot to allow cyrus to take ownership of the port.
Login in as cyrus to cyrus-imap:
cyradm --user cyrus localhost
You can type help for more information. The prompt should also change: localhost.localdomain> help
Now make the users mailbox. Note the "user." must come before the username: localhost.localdomain> cm user.testuser
You can now exit: localhost.localdomain> quit
You can now test the user: telnet localhost 110
the login:
user testuser
pass test
You should see:
+OK Name is a valid mailbox
+OK Mailbox locked and ready
You now have cyrus working correctly. The mail box should show up:
/var/spool/imap/t/user/
You will now need to set Sendmail up to receive mail and send it to cyrus. Edit the configuration file /etc/mail/sendmail.mc and add this line to the bottom: dnl MAILER(smtp)dnl
dnl MAILER(procmail)dnl
define(`confLOCAL_MAILER', `cyrus')
MAILER(`cyrus')
If you want Sendmail to be able to receive mail from other places then itself, change this line from: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnlto dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnlNext, execute: # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
You will then need to restart Sendmail: service sendmail restart
You can test, by doing: # mail testuser@localhost
Subject: test
test
.
#make sure you put the ?.? at the end of the email.
The mail should show up in: /var/spool/imap/t/user/testuser/ and you should be able to check it with any local POP3 client
How do I configure Samba to use domain accounts for authentication?
The following is a bare bones smb.conf file that will authenticate users off of a domain controller. Keep in mind that if you wish to apply user/group permissions locally you should create identical user accounts on the linux system. These accounts do not need to have access, and it is advisable to set their shells to /bin/false.
Replace MACHINE with the name you wish your server to be associated with via netbios. Normally this would be identical to your hostname. Replace WORKGROUP with the name of the domain you wish to be a member of.
If the "password server = *" is used, Samba will search for a domain controller to authenticate against. Alternatively you can specify the tcp/ip address(es) of your domain controller(s).
[global]
workgroup = EXAMPLE
netbios name = MACHINE
password server = *
encrypt passwords = Yes
preferred master = No
domain master = No
Replace MACHINE with the name you wish your server to be associated with via netbios. Normally this would be identical to your hostname. Replace WORKGROUP with the name of the domain you wish to be a member of.
If the "password server = *" is used, Samba will search for a domain controller to authenticate against. Alternatively you can specify the tcp/ip address(es) of your domain controller(s).
[global]
workgroup = EXAMPLE
netbios name = MACHINE
password server = *
encrypt passwords = Yes
preferred master = No
domain master = No
How do I join a Windows 2000/2003 Active Directory domain from Red Hat Enterprise Linux?
After configuring your /etc/samba/smb.conf and your /etc/krb5.conf files appropriately, enter the following command:
net ads join -U Administrator
You will then be prompted to enter the domain administrator's password. The domain name used is whatever workgroup = field is set to in smb.conf. To verify that the join is successful, look for the server in the directory controller's server management tool
net ads join -U Administrator
You will then be prompted to enter the domain administrator's password. The domain name used is whatever workgroup = field is set to in smb.conf. To verify that the join is successful, look for the server in the directory controller's server management tool
How do I configure the Winbind service to authenticate itself so it is compatible with Windows domain controllers that restrict anonymous access to us
The Winbind service communicates with Domain Controllers (DC's) using anonymous (non-authenticated) connections by default, to properly emulate the behavior of legacy Windows clients such as NT and Win9x when requesting user and group data from DC's.
This behavior can cause problems for Winbind if the domain uses DC's which are set up to restrict anonymous access. For example, if the Windows admin selected the "Permissions compatible with Windows 2000 servers only" option when adding the DC role to a Windows 2000 or Windows 2003 server. Although Winbind may be configured as recommended by Red Hat, the service may still fail to work properly because the DC's are refusing to service anonymous requests.
If this option was chosen during DC setup or other security policy changes have been made to the DC afterwards - perhaps even by the installation of a Windows service pack - the DC will refuse to provide the user and group information requested by Winbind if the service has not been configured to authenticate itself with a valid domain user account. As noted above, Winbind will use anonymous connections until configured to do otherwise.
The --set-auth-user option of the wbinfo command can be used to set a domain user account and password for the Winbind service to use. The user account specified needs to exist on the domain, but any regular user account should suffice -- it should not be necessary to specify a Domain Admin account unless security policies and/or user rights have been extensively modified on the DC's.
Many system administrators will create a user on the domain named winbind for the Winbind service to use, so that Winbind's activities can be monitored or audited on the DC. The example command shown below assumes such a user exists on the domain.
When running wbinfo --set-auth-user, it is not necessary to provide the password for the specified domain user on the command line. wbinfo will prompt for the specified user's password and using the command in this manner prevents the user's password from being stored in the root user's command history:
# wbinfo --set-auth-user winbind
Password:
The username and password provided will be stored for future use. Care should be taken to type the user's password correctly when prompted, because no error message will be displayed if the password is entered incorrectly.
The command can be run again whenever necessary to change the username and/or password the Winbind service should use.
wbinfo --get-auth-user can be run to view the username and password currently set for the Winbind service:
# wbinfo --get-auth-user
TESTDOMAIN+winbind%thispassword
In the example output shown above, TESTDOMAIN is the example domain's "short" domain name and the string following the percent symbol - thispassword in this example - is the password set for the winbind user.
For more information regarding Winbind and Samba configuration, we would recommend the following sources of information:
The wbinfo man page, viewable by running the command man wbinfo.
The smb.conf man page, viewable by running the command man smb.conf.
The Samba documentation contained in /usr/share/doc/samba-, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.
This behavior can cause problems for Winbind if the domain uses DC's which are set up to restrict anonymous access. For example, if the Windows admin selected the "Permissions compatible with Windows 2000 servers only" option when adding the DC role to a Windows 2000 or Windows 2003 server. Although Winbind may be configured as recommended by Red Hat, the service may still fail to work properly because the DC's are refusing to service anonymous requests.
If this option was chosen during DC setup or other security policy changes have been made to the DC afterwards - perhaps even by the installation of a Windows service pack - the DC will refuse to provide the user and group information requested by Winbind if the service has not been configured to authenticate itself with a valid domain user account. As noted above, Winbind will use anonymous connections until configured to do otherwise.
The --set-auth-user option of the wbinfo command can be used to set a domain user account and password for the Winbind service to use. The user account specified needs to exist on the domain, but any regular user account should suffice -- it should not be necessary to specify a Domain Admin account unless security policies and/or user rights have been extensively modified on the DC's.
Many system administrators will create a user on the domain named winbind for the Winbind service to use, so that Winbind's activities can be monitored or audited on the DC. The example command shown below assumes such a user exists on the domain.
When running wbinfo --set-auth-user, it is not necessary to provide the password for the specified domain user on the command line. wbinfo will prompt for the specified user's password and using the command in this manner prevents the user's password from being stored in the root user's command history:
# wbinfo --set-auth-user winbind
Password:
The username and password provided will be stored for future use. Care should be taken to type the user's password correctly when prompted, because no error message will be displayed if the password is entered incorrectly.
The command can be run again whenever necessary to change the username and/or password the Winbind service should use.
wbinfo --get-auth-user can be run to view the username and password currently set for the Winbind service:
# wbinfo --get-auth-user
TESTDOMAIN+winbind%thispassword
In the example output shown above, TESTDOMAIN is the example domain's "short" domain name and the string following the percent symbol - thispassword in this example - is the password set for the winbind user.
For more information regarding Winbind and Samba configuration, we would recommend the following sources of information:
The wbinfo man page, viewable by running the command man wbinfo.
The smb.conf man page, viewable by running the command man smb.conf.
The Samba documentation contained in /usr/share/doc/samba-
I made some changes to my /etc/inittab file. How can I make those changes effective without rebooting?
To make changes to the /etc/inittab effective without a reboot, issue either of these two commands as the root user:
# init q
# telinit q
The init q or telinit q command wakes up init and tells it to re-examine the /etc/inittab file so changes to the file are effective immediately.
# init q
# telinit q
The init q or telinit q command wakes up init and tells it to re-examine the /etc/inittab file so changes to the file are effective immediately.
How do I change the runlevel for a system without rebooting?
To change the runlevel for a system without rebooting or changing the /etc/inittab file, execute the following command as the root user:
telinitWith having the following values:
0 ? Halt
1 ? Single-user mode
2 ? Not used (user-definable)
3 ? Full multi-user mode
4 ? Not used (user-definable)
5 ? Full multi-user mode (with an X-based login screen)
6 ? Reboot
telinit
0 ? Halt
1 ? Single-user mode
2 ? Not used (user-definable)
3 ? Full multi-user mode
4 ? Not used (user-definable)
5 ? Full multi-user mode (with an X-based login screen)
6 ? Reboot
How do I change the system to boot into the graphical login (runlevel 5) instead of text mode (runlevel 3)?
In order to change what run level the system boots to, modify the /etc/inittab file. This is a sample from the inittab file:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
The runlevel is determined by this line:
id:3:initdefault:
Change the above line to:
id:5:initdefault:and your system will now boot to runlevel 5 or to a graphical login
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
The runlevel is determined by this line:
id:3:initdefault:
Change the above line to:
id:5:initdefault:and your system will now boot to runlevel 5 or to a graphical login
How do I change the system to boot into text mode (runlevel 3) instead of the graphical login (runlevel 5)?
In order to change what runlevel the system boots to, modify the /etc/inittab file. This is a sample from the inittab file:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
runlevel is determined by this line:
id:5:initdefault:
Change the above line to:
id:3:initdefault:and your system will now boot to runlevel 3 or text mode.
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:5:initdefault:
runlevel is determined by this line:
id:5:initdefault:
Change the above line to:
id:3:initdefault:and your system will now boot to runlevel 3 or text mode.
How do I disable X from loading on start up, but start and exit the X Window System when I need to?
In order to disable X from loading during the boot sequence, it is recommended that you boot your system to runlevel 3. Booting your system to runlevel 3 will still allow you to log in as a system user but will provide a command line login instead of a graphical login. Once you are successfully logged in, you can then use the startx command to bring your system into graphical mode or runlevel 5:
startx
In order to shut down GNOME or KDE, go to your Main Menu and select the "Log Out" menu option. This should shut down Xwindows and return you to a command line or runlevel 3. In order to configure your system to boot into runlevel 3, you can modify the /etc/inittab file and change the id initdefault line to runlevel 3 as shown below:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
startx
In order to shut down GNOME or KDE, go to your Main Menu and select the "Log Out" menu option. This should shut down Xwindows and return you to a command line or runlevel 3. In order to configure your system to boot into runlevel 3, you can modify the /etc/inittab file and change the id initdefault line to runlevel 3 as shown below:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
Why does lsmod not show the mt or SCSI card modules as being loaded?
If lsmod does not show the mt or SCSI card modules as being loaded, you can load the SCSI modules by doing the following:
Determine modules SCSI card is using
Run:
# modprobe module_name
# modprobe st
The tape drive should now appear as a sequential access device and you should be able to access the tape drive now.
# cat /proc/scsi/scsi
Attached devices:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
Vendor: SONY Model: SDX-400V Rev: 0101
Type: Sequential-Access ANSI SCSI revision: 02
------------------------------------------------------------------
Determine modules SCSI card is using
Run:
# modprobe module_name
# modprobe st
The tape drive should now appear as a sequential access device and you should be able to access the tape drive now.
# cat /proc/scsi/scsi
Attached devices:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
Vendor: SONY Model: SDX-400V Rev: 0101
Type: Sequential-Access ANSI SCSI revision: 02
------------------------------------------------------------------
Tuesday, April 1, 2008
How do I enforce user passwords to expire after a set amount of time?
To force users to change their passwords the maxdays variable has to be set for that user. An example of how to do this can be found below:
chage -M 30The above will expire the associated users password every 30 days. This can also be done when first assigning a password to a user when creating their account with the command below: passwd -x 30
It would also be wise to warn your users that their account password is about to expire. This can be done by changing the warndays variable shown below.
chage -W 4This will warn the user 4 days before their password expires that they will need to change their password.
To retrieve expiry information about an existing account, use the command below:
chage -lThe above command will result in the output below: Minimum: 0
Maximum: 30
Warning: 4
Inactive: -1
Last Change: Mar 03, 2005
Password Expires: Apr 02, 2005
Password Inactive: Never
Account Expires: Never
Further information on all of the options for the chage and passwd commands can be foudn in the man pages. To view the manual page, issue the commands below at a terminal:
man chage
man passwd
chage -M 30
It would also be wise to warn your users that their account password is about to expire. This can be done by changing the warndays variable shown below.
chage -W 4
To retrieve expiry information about an existing account, use the command below:
chage -l
Maximum: 30
Warning: 4
Inactive: -1
Last Change: Mar 03, 2005
Password Expires: Apr 02, 2005
Password Inactive: Never
Account Expires: Never
Further information on all of the options for the chage and passwd commands can be foudn in the man pages. To view the manual page, issue the commands below at a terminal:
man chage
man passwd
How can password expiration be turned off?
The password expiration information for a user is contained in the last 6 fields of the file /etc/shadow (the last field is reserved for future use). Password expiration for a particular user can be disabled by editing the shadow file and removing values from the corresponding colon delimited entries in the file
How do I set an expiration date for a users password or lockout out a user using User Manager?
To use the User Manager, you must be running the XWindow System, have root privileges, and have the redhat-config-users RPM package installed. To start the User Manager from the desktop, go to the Main Menu Button (on the Panel) => System Settings => Users & Groups. Or, type the command redhat-config-users at a shell prompt (for example, in an XTerm or a GNOME terminal).
Click the Account Info tab. Select Enable account expiration if you want the account to expire on a certain date. Enter the date in the provided fields. Select User account is locked to lock the user account so that the user cannot log in to the system.
Click the Account Info tab. Select Enable account expiration if you want the account to expire on a certain date. Enter the date in the provided fields. Select User account is locked to lock the user account so that the user cannot log in to the system.
How do I make users set a password the first time they log in using command line tools?
If a system administrator wants a user to set a password the first time the user log in, the user's initial or null password can be set to expire immediately, forcing the user to change it immediately after logging in for the first time.
To force a user to configure a password the first time the user logs in at the console, follow these steps. Note, this process does not work if the user logs in using the SSH protocol.
Lock the user's password - If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked. If the password is already enabled, lock it with the command:usermod -L usernameForce immediate password expiration - Type the following command: chage -d 0 usernameThis command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
To force a user to configure a password the first time the user logs in at the console, follow these steps. Note, this process does not work if the user logs in using the SSH protocol.
Lock the user's password - If the user does not exist, use the useradd command to create the user account, but do not give it a password so that it remains locked. If the password is already enabled, lock it with the command:usermod -L usernameForce immediate password expiration - Type the following command: chage -d 0 usernameThis command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 2.1?
The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.
To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset
In addition, run the command touch /var/log/faillog to create this empty file. This is where the attempts will be logged.
The options used above are described below:
onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react.
no_magic_root
This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
deny=3
The deny=3 option is used to deny access if tally for this user exceeds 3.
reset
The reset option instructs the module to reset count to 0 on successful entry.
See below for a complete example of implementing this type of policy:
auth required /lib/security/pam_env.so
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so deny=5 no_magic_root reset
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-
To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset
In addition, run the command touch /var/log/faillog to create this empty file. This is where the attempts will be logged.
The options used above are described below:
onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react.
no_magic_root
This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
deny=3
The deny=3 option is used to deny access if tally for this user exceeds 3.
reset
The reset option instructs the module to reset count to 0 on successful entry.
See below for a complete example of implementing this type of policy:
auth required /lib/security/pam_env.so
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so deny=5 no_magic_root reset
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-
How do I prevent the reuse of old passwords?
Resolution:The PAM module pam_unix.so can be configured to maintain a list of old passwords for every user prohibiting the reuse of old passwords. The list is located in the /etc/security/opasswd file. This is not a plain text file, but should be protected the same as the /etc/shadow file. This is normally referred to as password history.
To remember the last 15 passwords, add the line below to the /etc/pam.d/system-auth file:
password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=15
You can replace the number 15 used above with an integer you want, to enforce your password security policy.
To remember the last 15 passwords, add the line below to the /etc/pam.d/system-auth file:
password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=15
You can replace the number 15 used above with an integer you want, to enforce your password security policy.
How do I disable null passwords?
Resolution:A null password allows users to log onto a system without having to first supply a valid password string. When users have null passwords, they can press the [Enter] key when prompted for a password and gain access to systems without a password. This poses a significant security risk to the system and to the accountability of actions performed by users.
To disable null passwords make a backup of the /etc/pam.d/system-auth file, then modify the original by removing nullok from one of the lines.
Backup /etc/pam.d/system-auth
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
Remove nullok from the following line in /etc/pam.d/system-auth
auth sufficient /lib/security/pam_unix.so likeauth nullok
after removal the line should look like:
auth sufficient /lib/security/pam_unix.so likeauth
To disable null passwords make a backup of the /etc/pam.d/system-auth file, then modify the original by removing nullok from one of the lines.
Backup /etc/pam.d/system-auth
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
Remove nullok from the following line in /etc/pam.d/system-auth
auth sufficient /lib/security/pam_unix.so likeauth nullok
after removal the line should look like:
auth sufficient /lib/security/pam_unix.so likeauth
Subscribe to:
Posts (Atom)
