Security

Enable password aging on Linux systems

Vincent Danen shows you how to enable password aging--a mechanism that allows you to enforce your password policy for users.

Password aging is a mechanism that allows the system to enforce a certain lifetime for passwords. While this may be moderately inconvenient for users, it ensures that passwords are changed occasionally, which is a good security practice. Most Linux distributions do not enable password aging by default, but it's very easy to enable.

By editing /etc/login.defs, you can specify a few parameters to set the default settings for password aging:

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

This effectively disables password aging by setting the number of days that a password is valid to 99,999. A more sensible setting would be 60—forcing a password change every two months. The PASS_MIN_DAYS setting indicates how many days need to pass before the user is allowed to change his password since the last password change. The PASS_WARN_AGE setting indicates how many days prior to the password expiration that warning notices will be sent to users (i.e., when they log in).

You will also edit the /etc/default/useradd file, looking for the INACTIVE and EXPIRE keywords:

INACTIVE=14
EXPIRE=

This will indicate when to change the account to inactive after the password has expired, but hasn't been changed; in this case it would be 14 days. The EXPIRE setting can set an explicit expiration date for all new users in the format YYYY-MM-DD.

These settings, of course, only affect newly created users after the settings have been changed. To update the settings for users that already exist, use the chage tool:

# chage -M 60 joe

This will set joe's PASS_MAX_DAYS setting to 60 days and update the shadow file accordingly. You can use the -l option of chage to list the current account age information, -m to set PASS_MIN_DAYS, -W to set PASS_WARN_AGE, and more. The chage tool will let you manipulate all aspects of password aging on the specified account.

Note that chage will only work on local system accounts and will not work if you are using a system such as LDAP for authentication. If you're using LDAP for authentication and you attempt to use chage, even to list the user's aging information, you'll find that chage doesn't know anything about the user.

Having a policy to define how often a password needs to be changed, and then being able to enforce it, is definitely a good thing. In the situation of a laid-off employee, for example, password aging ensures that the former employee can't come back three months later to find his account still accessible. Even if the system administrator neglected to delete the account, the account would be locked due to the aging configuration. This is, of course, no excuse for not deleting accounts of users who no longer require access to the system, but it does provide an extra layer of security, if it were to be overlooked.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments