Much Todo About Linux/RHEL Passwords

CryptographyMy latest gig requires me to know more about passwords, password expiration, and password policies than I have ever had to know before. Now on the surface this is a bad thing, as it makes my job much harder as I have to maintain more passwords on more individual systems than I can shake a stick at (seriously no ldap or anything), however on the plus side I am learning a few things here and there that I never had to know before. I thought I would take this oportunity to got down a few of the things that I have learned.

Password Reuse Policy

The configuration item for this can be changed by editing the following file.


look for the line that ends in "remember". The example below will remember the last 5 passwords, and will not allow you to reuse one of these last 5.

password    sufficient sha512 shadow nullok try_first_pass remember=5

Old passwords are actually stored in the following text file /etc/security/opasswd.

Password Aging Policy

The configurations for password aging are found in /etc/login.defs. Below I am requiring users to change there password every 28 days, forcing them to keep the a password for at least 7 days before changing it, configuring the minimum password length, and setting the number of days warning that will be given before I expire a password.


Password Encryption Method

This is also stored in the /etc/login.defs. Here I am using SHA512.

# Use SHA512 to encrypt password.

Password Complexity Settings

Take a look at the line below from /etc/pam.d/system-auth

password    requisite min=disabled,disabled,8,8,8 enforce=everyone retry=3

Ok now this one is a bit tricky, but the above essentially disallows passwords from any single character
class, and disallows a password with only two character classes, sets a minimum length of 8 characters for a
passphrase, a minimum length of 8 characters for a password from any
three character classes, and a minimum length of 8 characters from
four character classes.

Locking User Accounts Based on Failed Logins

Ok so this one also comes from /etc/pam.d/system-auth.

auth        required deny=3 onerr=fail unlock_time=300 magic_root

Above I am locking at 4 failed logins, and locking the user for 300 seconds, or 5 minutes. Man I am an ass.


Related articles

How Do I Create a Strong Password?
Simple solution to the password reuse problem.
The Most Unsafe Passwords of 2012 Look a Lot Like the Ones from 2011

LSI MegaCLI — Check For Failed Raid Controller Battery

701590_rusty_batteryThere are several tools that you can use to monitor and configure and LSI SAS controller, however as I have found, some are easier than others to use and some do not always display the correct information.

In my case my controller is a SAS 9260-8i, and when building a server I always make sure that I install the MegaRaid Storage Manager gui for configuring disks and setting up email alerts. However I have often found that this tool is sometimes confusing to use for other tasks so I also make sure that I install the MegaCLI (command line interface). Both utilities can be downloaded directly from LSI here.

MegaRaid Storage Manager installs to /usr/local/MegaRAID Storage Manager, while the cli installs via rpm to /opt/MegaRAID/MegaCli.

Anyway to check the battery status run the following (note i am running 64 bit os)

#>./MegaCli64 -AdpBbuCmd -aAll

Your output will be lengthy – but look for the line below to know if you need to replace your BBU.

Battery Replacement required            : Yes

Two additional usefully commands are:

  • megacli -AdpAllInfo -aALL lists all the adapters in the machine
  • megacli -PDList -aALL lists all disks and enclosures

Note that there is an open source CLI called Megactl, and while its quick and easy to use to see a quick list of your disks and their statuses, its not shown itself to be accurate when it comes to detecting whether or not a battery has failed. You can get it here

Additonal Megacli command can be found here;