Much Todo About Linux/RHEL Passwords

CryptographyMy latest gig requires me to know more about passwords, password expiration, and password policies than I have ever had to know before. Now on the surface this is a bad thing, as it makes my job much harder as I have to maintain more passwords on more individual systems than I can shake a stick at (seriously no ldap or anything), however on the plus side I am learning a few things here and there that I never had to know before. I thought I would take this oportunity to got down a few of the things that I have learned.

Password Reuse Policy

The configuration item for this can be changed by editing the following file.

/etc/pam.d/system-auth

look for the line that ends in "remember". The example below will remember the last 5 passwords, and will not allow you to reuse one of these last 5.

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass remember=5

Old passwords are actually stored in the following text file /etc/security/opasswd.

Password Aging Policy

The configurations for password aging are found in /etc/login.defs. Below I am requiring users to change there password every 28 days, forcing them to keep the a password for at least 7 days before changing it, configuring the minimum password length, and setting the number of days warning that will be given before I expire a password.

PASS_MAX_DAYS   28
PASS_MIN_DAYS   7
PASS_MIN_LEN    8
PASS_WARN_AGE   7

Password Encryption Method

This is also stored in the /etc/login.defs. Here I am using SHA512.

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

Password Complexity Settings

Take a look at the line below from /etc/pam.d/system-auth

password    requisite     pam_passwdqc.so min=disabled,disabled,8,8,8 enforce=everyone retry=3

Ok now this one is a bit tricky, but the above essentially disallows passwords from any single character
class, and disallows a password with only two character classes, sets a minimum length of 8 characters for a
passphrase, a minimum length of 8 characters for a password from any
three character classes, and a minimum length of 8 characters from
four character classes.

Locking User Accounts Based on Failed Logins

Ok so this one also comes from /etc/pam.d/system-auth.

auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=300 magic_root

Above I am locking at 4 failed logins, and locking the user for 300 seconds, or 5 minutes. Man I am an ass.

 

Related articles

How Do I Create a Strong Password?
Simple solution to the password reuse problem.
The Most Unsafe Passwords of 2012 Look a Lot Like the Ones from 2011

LSI MegaCLI — Check For Failed Raid Controller Battery

701590_rusty_batteryThere are several tools that you can use to monitor and configure and LSI SAS controller, however as I have found, some are easier than others to use and some do not always display the correct information.

In my case my controller is a SAS 9260-8i, and when building a server I always make sure that I install the MegaRaid Storage Manager gui for configuring disks and setting up email alerts. However I have often found that this tool is sometimes confusing to use for other tasks so I also make sure that I install the MegaCLI (command line interface). Both utilities can be downloaded directly from LSI here.

MegaRaid Storage Manager installs to /usr/local/MegaRAID Storage Manager, while the cli installs via rpm to /opt/MegaRAID/MegaCli.

Anyway to check the battery status run the following (note i am running 64 bit os)

#>./MegaCli64 -AdpBbuCmd -aAll

Your output will be lengthy – but look for the line below to know if you need to replace your BBU.

Battery Replacement required            : Yes

Two additional usefully commands are:

  • megacli -AdpAllInfo -aALL lists all the adapters in the machine
  • megacli -PDList -aALL lists all disks and enclosures

Note that there is an open source CLI called Megactl, and while its quick and easy to use to see a quick list of your disks and their statuses, its not shown itself to be accurate when it comes to detecting whether or not a battery has failed. You can get it here

Additonal Megacli command can be found here; https://twiki.cern.ch/twiki/bin/view/FIOgroup/DiskRefPerc