A strong password policy is one of the most important aspects of your security posture. Many successful security breaches involve simple brute force and dictionary attacks against weak passwords. If you intend to offer any form of remote access involving your local password system, make sure you adequately address minimum password complexity requirements, maximum password lifetimes, and frequent audits of your authentication systems.
Minimum Password Length
By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined below.
password required pam_unix.so nullok obscure min=4 max=8 md5
If you would like to adjust the minimum length to 6 characters, change the appropriate variable to min=6. The modification is outlined below.
password required pam_unix.so nullok obscure min=6 max=8 md5
The max=8 variable does not represent the maximum length of a password. It only means that complexity requirements will not be checked on passwords over 8 characters. You may want to look at the libpam-cracklib package for additional password entropy assistance.
When creating user accounts, you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire.
•To easily view the current status of a user account, use the following syntax:
sudo chage -l username
The output below shows interesting facts about the user account, namely that there are no policies applied:
Last password change : Jan 20, 2008 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
•To set any of these values, simply use the following syntax, and follow the interactive prompts:
sudo chage username
The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration.
sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username
•To verify changes, use the same syntax as mentioned previously:
sudo chage -l username
The output below shows the new policies that have been established for the account:
Last password change : Jan 20, 2008 Password expires : Apr 19, 2008 Password inactive : May 19, 2008 Account expires : Jan 31, 2008 Minimum number of days between password change : 5 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Other Security Considerations
Many applications use alternate authentication mechanisms that can be easily overlooked by even experienced system administrators. Therefore, it is important to understand and control how users authenticate and gain access to services and applications on your server.
SSH Access by Disabled Users
Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. /home/username/.ssh/authorized_keys.
Remove or rename the directory .ssh/ in the user's home folder to prevent further SSH authentication capabilities.
Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found.
Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the AllowGroups variable located in the file /etc/ssh/sshd_config.
Then add your permitted SSH users to the group "sshlogin", and restart the SSH service.
sudo adduser username sshlogin sudo /etc/init.d/ssh restart