Setting PAM requirements for password complexity and lifecycle

December 3rd, 2014 No comments

I had a fairly strict requirement at $work for a system that had the following password security requirements:

  • Minimum of 8 characters
  • Minimum of 2 different complexity classes
  • Password expires after 90 days
  • No reuse of the last 5 passwords AND no more than 1 password change per day
  • Temporary lockout after 5 failed attempts in 15 minutes, lockout to last for 15 minutes

Here’s how I solved it:


# cd /etc/pam.d
# cp system-auth-ac system-auth.local
# cp password-auth-ac password-auth.local

Modify both system-auth.local and password-auth.local to include pam_faillock and pam_cracklib. You should end up with something like:


auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root
auth sufficient pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 minclass=2 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so

Link the new files into place (to avoid authconfig from overwriting them):

# ln -sf system-auth system-auth.local
# ln -sf password-auth password-auth.local

Edit /etc/login.defs and change:

PASS_MAX_DAYS 99999 to PASS_MAX_DAYS 90
PASS_MIN_DAYS 0 to PASS_MIN_DAYS 1

Apply immediately to root:

# chage -M 90 root
# chage -m 1 root

Categories: System Administration Tags:

Puppetmaster cert change

August 6th, 2014 No comments

Some day I will need this. Hat tip to Nan Liu.

From the puppet-users mailing list

Backup your puppet master ssl directory, so you can just retry if something didn’t go as planned.

# note all certificate alt names of the existing puppet master cert:
puppet cert -la | grep oldmaster
(alt names "DNS:puppet", "DNS:puppet-master", "DNS:puppet.mgmt", )
...
 
# remove your old puppet master cert.
puppet cert -c oldmaster
 
# search the ssl dir and it should not have any files with the oldmaster certname
 
# generate new master cert (same name as old one, but accept new_hostname in dns_alt_names):
puppet cert -g oldmaster --dns_alt_names=new_hostname,puppet,puppet-master,puppet.mgmt
 
# you may need to copy the files to some locations if you found files not removed after the cert clean step

At this point you can add a host entry on one of your agents and test via:
puppet agent -t –server new_hostname –noop

You should not have to touch any client cert, that’s only necessary if you need to change your CA cert which is a pain when it expires.

HTH,

Nan

Categories: System Administration Tags:

rpmconf and vimdiff

August 5th, 2014 No comments

I was reading through the Foreman upgrade notes today and came across this gem:


rpmconf -a --frontend=vimdiff

Gives a great side-by-side view of all those .rpmnew files that get created as part of an install so you can reject, accept, or merge the differences. I like it.

Categories: System Administration Tags:

Living with Cisco Anyconnect on OSX

July 22nd, 2014 2 comments

Took me a bit to figure this out, but I needed to override the DNS settings forced upon me by the Cisco Anyconnect client. Unfortunately, $WORK is moving away from the IPSEC VPN in favor of the SSL VPN, so the native Mac client (where I could set DNS servers by hand in advanced settings) no longer works.

To override the settings handed down, I made use of the scutil command and crafted a short script to update the settings. I’ll probably expand the script to actually launch Anyconnect and wait for the tunnel to come up and apply the settings to make things easier on me, but in the meantime here’s the relevant bits.


#!/bin/sh

sudo scutil <

2 TB Virtual Disks in VMware

July 17th, 2013 No comments

When creating a 2TB disk in VMware, if you want to take snapshots do not configure the disk as 2TB, but rather 2032GB to account for the overhead. See http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012384

HP Data Protector unable to backup file

March 20th, 2013 No comments

Occasionally, HP Data Protector will be unable to back up a file because of memory constraints. You will get a message something like:


Cannot read X bytes at offset YYYYY(:1): ([1450] Insufficient system resources exist to complete the requested service. ).

The solution lies here:

http://support.microsoft.com/kb/304101?wa=wsignin1.0

Categories: System Administration Tags:

Reunion Tour

February 5th, 2013 No comments

This week, the three of us that made up a rock group when we were in high school are reuniting. 15 years later, we’ve all ended back up in the same area we grew up and are going to get together and play through some covers. I have to say I’m pretty pumped.

I’ve been spending time since Christmas on the Drumeo.com website’s Edge area. Edge members can watch live lessons, archives of recorded lessons, and interact with the instructors and (maybe more importantly) other Drumeo members via forums, Youtube and e-mail. It’s a pretty incredible concept, and one I’m glad I can participate in. I’ve been able to get some exercises to bring my drumming chops back up to what they once were, and hopefully push them beyond. Back then, my drums stayed at the bassist’s house (and I was too poor for a second set), so practice time was limited. I intend to change that this time around and be more deliberate about practicing and improving my skill set.

If you’re looking for a great drumming community, check out Drumeo.com!

Categories: Drums and Drumming Tags: , ,

Time conversion gymnastics in Python

February 5th, 2013 No comments

I was recently working with a sqlite3 database using the DATETIME(‘now’) SQL construct to save the time a row was updated. This results in a format of e.g. 2013-02-05 17:50:42, which is in UTC. In order to display this in local time, I did the following gymnastics:


import calendar,time
time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(calendar.timegm(time.strptime(thetimefromdb, "%Y-%m-%d %H:%M:%S"))))

Is there a better way?

CentOS 6 Kickstart Encrypted Password

January 21st, 2013 No comments

To create the SHA256 encrypted password for a CentOS 6 kickstart file:

python -c 'import crypt; print(crypt.crypt("Password", "$6$Salt"))'

Juniper Network Connect on CentOS 6

January 15th, 2013 No comments

The best method for making this work seems to be a 32-bit firefox (even on 64-bit CentOS/RHEL). The trick is that the NC installer launches xterm directly to prompt for a root password – so the following RPMs should be installed before launching the SSL VPN site:

* xterm
* firefox.i686
* libXtst.i686
* libcurl.i686
* gtk2-engines.i686
* alsa-plugins-pulseaudio.i686
* PackageKit-gtk-module.i686