Server

Version: 25.03

Account Passwords

Shielding System Accounts

Description

Accounts excluding user accounts are system accounts. System accounts cannot be used for logins or performing other operations. Therefore, system accounts must be shielded.

Implementation

Modify the shell of a system account to /sbin/nologin.

shell
usermod -L -s /sbin/nologin $systemaccount

NOTE

$systemaccount indicates the system account.

Restricting Account Permissions on the su Command

Description

The su command is used to switch user accounts. To improve system security, only the user root and users in the wheel group can use the su command.

Implementation

Modify the /etc/pam.d/su file as follows:

text
auth         required      pam_wheel.so use_uid

Table 1 Configuration item in pam_wheel.so

Item

Description

use_uid

UID of the current account.

Setting Password Complexity

Description

You can set the password complexity requirements by modifying the corresponding configuration file. You are advised to set the password complexity based on the site requirements.

Implementation

The password complexity is implemented by the pam_pwquality.so and pam_pwhistory.so modules in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. You can modify the configuration items of the two modules to change the password complexity requirements.

Example

This section provides an example for configuring password complexity.

Password Complexity Requirements

  1. Contains at least eight characters.

  2. Contains at least three types of the following characters:

    • At least one lowercase letter

    • At least one uppercase letter

    • At least one digit

    • At least one space or one of the following special characters: ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ?

  3. Cannot be the same as an account name or the account name in reverse order.

  4. Cannot be the last five passwords used.

Implementation

Add the following content to the first two lines of the password configuration item in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

text
password    requisite     pam_pwquality.so minlen=8 minclass=3 enforce_for_root try_first_pass local_users_only retry=3 dcredit=0 ucredit=0 lcredit=0 ocredit=0 
password    required      pam_pwhistory.so use_authtok remember=5 enforce_for_root

Configuration Item Description

For details about the configuration items of pam_pwquality.so and pam_pwhistory.so, see Table 1 and Table 2, respectively.

Table 1 Configuration items in pam_pwquality.so

Item

Description

minlen=8

A password must contain at least eight characters.

minclass=3

A password must contain at least three of the following types: uppercase letters, lowercase letters, digits, and special characters.

ucredit=0

A password contains any number of uppercase letters.

lcredit=0

A password contains any number of lowercase letters.

dcredit=0

A password contains any number of digits.

ocredit=0

A password contains any number of special characters.

retry=3

Each time a maximum of three password changes is allowed.

enforce_for_root

This configuration is also effective for user root.

Table 2 Configuration items in pam_pwhistory.so

Item

Description

remember=5

A password must be different from the last five passwords used.

enforce_for_root

This configuration is also effective for user root.

Setting the Password Validity Period

Description

To ensure system security, you are advised to set the password validity period and notify users to change passwords before the passwords expire.

Implementation

The password validity period is set by modifying the /etc/login.defs file. Table 1 describes the hardening items. All hardening items in the table are in the /etc/login.defs file. You can directly modify the items in the configuration file.

Table 1 Configuration items in login.defs

Item

Description

Suggestion

Configured as Suggested

PASS_MAX_DAYS

Maximum validity period of a password.

90

No

PASS_MIN_DAYS

Minimum interval between password changes.

0

No

PASS_WARN_AGE

Number of days before the password expires.

7

No

NOTE

The login.defs file is used to set restrictions on user accounts, such as setting the maximum password validity period and maximum length. The configuration in this file is invalid for the user root. If the /etc/shadow file contains the same items, the /etc/shadow configuration takes precedence over the /etc/login.defs configuration. When a user attempts to log in after the password expires, the user will be informed of the password expiry and is required to change the password. If the user does not change the password, the user cannot access the system.

Setting Password Encryption Algorithms

Description

For system security, passwords cannot be stored in plaintext in the system and must be encrypted. The passwords that do not need to be restored must be encrypted using irreversible algorithms. Set the password encryption algorithm to SHA-512. This item has been set by default in openEuler. The preceding settings can effectively prevent password disclosure and ensure password security.

Implementation

To set the password encryption algorithm, add the following configuration to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files:

text
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

Table 1 Configuration items in pam_unix.so

Item

Description

sha512

The SHA-512 algorithm is used for password encryption.

Locking an Account After Three Login Failures

Description

To ensure user system security, you are advised to set the maximum number of failed login attempts (three attempts are recommended) and the automatic unlocking time (300 seconds are recommended) for a locked account.

If an account is locked, any input is invalid but does not reset the locking countdown timer. Records of the user's invalid inputs are cleared once unlocked. The preceding settings protect passwords from being forcibly cracked and improve system security.

NOTE

By default, the maximum number of failed login attempts is 3 in openEuler. After an account is locked, the automatic unlock time is 60 seconds.

Implementation

The password complexity is set by modifying the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. The maximum number of failed login attempts is set to 3, and the unlocking time after an account is locked is set to 300 seconds. The configuration is as follows:

text
auth        required      pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=300
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=300
auth        sufficient    pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=300

Table 1 Configuration items in pam_faillock.so

Item

Description

authfail

Captures account login failure events.

deny=3

A user account will be locked after three failed login attempts.

unlock_time=300

A locked common user account is automatically unlocked after 300 seconds.

even_deny_root

This configuration is also effective for user root.

Hardening the su Command

Description

To enhance system security and prevent the environment variables of the current user from being brought into other environments when you run the su command to switch to another user, this item has been configured by default in openEuler. The PATH variable is always initialized when the su command is used to switch users.

Implementation

Modify the /etc/login.defs file. The configuration is as follows:

text
ALWAYS_SET_PATH=yes