Saturday 15 September 2012

SSH : Passwordless - Linux/Windows

Concepts:

Public key: it's not actually a key, but you could think it as an lock. You could make lot of copies and distribute it where ever you wish like. You need to copy in ".ssh/authorized_keys" folder.

Private key: this is an actual key, that to be used to open a lock (public key). Your public key can be distributed any where, as long as your private key is not compromised. When you run "ssh-keygen" – it produces both private (id_rsa) & public(id_rsa.pub) keys for usage.




Pass phrase - what exactly is this ?
Encrypting an private key using an another key i.e... Equivalent of putting the private key in a combo-lock safe which adds one more layer of protection. Incase of your private key falls into the wrong hands, the person should still know the password to use the private key.




You could use either rsa/dsa for encryption/decryption depending on your security.

Case 1: windows to Linux server.
For linux administrators that use windows for their desktop os, putty is a tool. This tutorial will help you save time administering your servers without having to login and provide username and password each time.

I am trying to create an ssh2-rsa passwordless authentication from windows to linux server.

Here are the steps to go on:
1.   Download your putty and puttygen.
2.   Open your puttygen, select ssh2-rsa, and click generate.
3.   Move your mouse around in the space to generate public key



4.   Save your private key and copy your public key
5.   Open your putty session:
              enter hostname or ip address.
              click connection -> data -> enter "root" for auto login username.
              in connections -> ssh -> browse to the private key (from step 4)
              save your session
6.   Log into the server, paste the public key in the below path and quit.
      [root@server ~]# vim .ssh/authorized_keys
7.  You must now be able to login to your server without password.




Case 2: Linux to Linux server
  
1. Create your public key in the server.
     [root@server ~]# ssh-keygen -t rsa
2. View your public key once it is generated.
     [root@server ~]# cat .ssh/id_rsa.pub
3. Copy your public key in the ".ssh/authorized_keys" file on the destination folder.


Once it is done, your passwordless authentication is successful.

Sunday 9 September 2012

IT password policies

Objective: Implementation of IT password policies.

Environment: Redhat Linux 5.0 32-bit.

Descriptions:

Being working in IT industry for a quite a long time, I always thought of implementing the password policies which are applied at the active directory(Windows Server) in Linux Enterprise/Workstation.

Browsing in Internet, some of the best policies were found as below, and was configured successfully in Linux.

1. Min length 8 Char - ( 5 Uppercase or 5 Lowercase or both; 2 Numeric; 1 special char; No dictionary words )
2. Password history - requires a unique password of 5 char that are different than found in old password.
3. Max password age - 60 days.
4. Minimum days for password change - 30 days
5. Warning before password expiry - 15 days.
6. Account lockout threshold - 3 times.
7. Account lockout duration - 30 mins.

In order to understand the above, I would suggest you to know the below pre-requisites:

1. PAM (Pluggable Authentication Modules).
2. Shadow password suite.
3. User administration.

Summary:

1. By default, the minimum length of the password is 5. It could be over written by the PAM module which includes combination of upper, lower, digits, special characters.

2. Password history is set by difork parameter.

All entries for PAM must be in configuration file "/etc/pam.d/system-auth"

password  required pam_cracklib.so dcredit=-2 ucredit=-3 ocredit=-1 lcredit=-2 minlen=8 difok=5

pam_cracklib: checks the password against dictionary words. 
dcredit= Maximum credit for having digits in the new password.
ucredit= Maximum credit for having upper case letters in new password.
lcredit=  Maximum credit for having lower case letters in new password.
ocredit= Maximum credit for having other characters in the new password.
difork = 5 new characters should not be present in the old password, however 1/2 of the characters in the new password are different from old password, then new password is accepted.

3. Max password age & warning & minimum days for password changes will be found in "/etc/login.defs".
/etc/login.defs: file defines the site-specific configuration for the shadow password suite.

PASS_MAX_DAYS 60
PASS_MIN_DAYS   30
PASS_MIN_LEN    8
PASS_WARN_AGE   15

4. After 3 attempts for a wrong password, the account must be locked.
pam_unix: This is UNIX standard authentication module, it uses standard system calls from system libraries to retrieve account information (/etc/passwd & /etc/shadow) as well as authentication.

auth sufficient  pam_unix.so nullok try_first_pass remember=3

Q. How will the system know about your old password's ?
Solution:
Once your remember option are enabled, all your password's are logged into "/etc/security/opasswd", for any change in password attempt would refer this file and modules of pam_cracklib are loaded to check password's against your password requirements.

5. In a bigger organisation if accounts are locked out, you don't need to log a case for a password reset. Hence an mechanism of "auto-unlock" feature can be enabled on your accounts. 
pam_tally.so: Login counter module.

auth required pam_tally.so onerr=fail deny=3 unlock_time=1800

Q. How will system know how many attempts were done ?
Solution:
This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail.

After three attempts your account is locked out, however unlock_time=1800 which means your account will be automatically unlocked after 30 mins.

Q. How will an UNIX administrator come to know about the attempts?
Solution:  

1. Account was locked due to bad password attempts, you could see the count was incremented by 3 
     [root@server ~]# faillog -u sunil
     Login       Failures Maximum                 Latest   On
     sunil          3        0   09/09/12 08:38:44 +0530  192.168.56.

2. Reset your account failures immediately,
     [root@server ~]# faillog -r sunil  
     
3. Verify user's account.
     [root@server ~]# faillog -u sunil
     Login       Failures Maximum Latest   On
     sunil           0      0   09/09/12 08:39:46 +0530  192.168.56.

 As most of them would be aware of the password policies, however I wanted to list the password requirement to all the users who are about to change their password's.

So when you are changing the passwords, pam_echo module loads and it will prompt you below requiremets.
password    required      pam_echo.so file=<path of the file>

Path to file contains the below:

Hi Users,
                   Know your password & account policies:

 *       Minimum length 8 Character consisting of uppercase, lowercase, digits, special characters.
 *       Do not repeat the old password.
 *       Maximum duration of password is 60 days.
 *       Minimum days need to change password is 30 days.
 *       Warning before password expiry is 15 days.
 *       Three bad password attempts would lock you account.
 *       Account will be un-locked after 30 minutes        














In order to help with the above you could follow "genpasswd()" which can help you with password assisting.
Below is the code.

Note:
Password can be generated in a random fashion with above all requirements.

  1. Open your .bashrc and paste the below code & source it.
  genpasswd() {
            local l=$1
            [ "$l" == "" ] && l=16
            tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

[root@server ~]# genpasswd 8
e0iqswVI

References:



3. The best documentation could be your man page. Please refer /usr/share/doc/pam-0.99.6.2/txts

Objective successful