Oct 31, 2009

Password policies: enforcing digits/uppercase letters using pam-config

Since my last posting about password policies on debian, i got several mails with the following question:
How to configure pluggable authentication modules (pam) with the command pam-config?
This is neccesary because some linux distributions add the following header on all files inside /etc/pam.d/:
# This file is autogenerated by pam-config. All changes
# will be overwritten.
Running pam-config --help shows 155 lines. For newbies this is completely unreadable. Querying the net with google gives the manpage but no examples...
So let's start.
To get the actual password check method run the following command:
# pam-config -q --pwcheck
password: nullok cracklib
This was easy. So just add am ucredit-rule:
# pam-config -a --cracklib-ucredit=-2 --cracklib
INFO: pam_pwcheck.so und pam_cracklib.so aktiviert,
INFO: nur pam_pwcheck.so mit aktivierter Cracklib-Unterstützung wird benutzt.
Hmm. pwcheck has to be removed. Not really difficult:
# pam-config -d --pwcheck
After that, retry  the command with ucredit:
# pam-config -a --cracklib-ucredit=-2 --cracklib
And how can you check, that it has really worked?
# pam-config -q --cracklib
password: ucredit=-2
Here the complete reference of pam-config:
 # pam-config --help
Anwendung: pam-config -a|-c|-d [...]
pam-config - Erstelle PAM-Konfigurationsdateien.

  -a, --add         Füge Optionen/PAM-Module hinzu.
  -c, --create      Erstelle neue Konfiguration.
  -d, --delete      Entferne Optionen/PAM-Module.
      --confdir     Benutze ein benutzerdefiniertes Konfigurations-Verzeichnis
      --initialize  Konvertiere alte Konfiguration and erstelle neue.
      --service config  Dienst zum modifizieren der Konfiguration von
      --update      Lese momentane Konfiguration und schreibe sie neu
  -q, --query       Anfrage für installierte Module und Optionen
      --list-modules Zeige alle unterstützten Module
      --help        Gibt diese Hilfeliste aus
  -u, --usage       Gibt eine kurze Gebrauchsanweisung aus
  -v, --version     Ausgabe der Programmversion

Globale Modul-Optionen:
      Die globalen Module werden eingesetzt in die
      common-{account,auth,password,session}-Dateien, welche in den einzelnen
      Dateien der Dienste beinhaltet sind.
   --apparmor
   --apparmor-debug
   --ccreds
   --cracklib
   --cracklib-debug
   --cracklib-type=<value>
   --cracklib-retry=<value>
   --cracklib-difok=<value>
   --cracklib-difignore=<value>
   --cracklib-minlen=<value>
   --cracklib-dcredit=<value>
   --cracklib-ucredit=<value>
   --cracklib-lcredit=<value>
   --cracklib-ocredit=<value>
   --cracklib-minclass=<value>
   --cracklib-dictpath=<value>
   --env
   --env-debug
   --env-conffile=<value>
   --env-envfile=<value>
   --env-readenv=<value>
   --fp
   --fp-debug
   --gnome_keyring
   --gnome_keyring-auto_start
   --gnome_keyring-auto_start_if=<value>
   --group
   --krb5
   --krb5-debug
   --krb5-ignore_unknown_principals
   --krb5-minimum_uid=<value>
   --ldap
   --ldap-debug
   --limits
   --limits-debug
   --limits-change_uid
   --limits-utmp_early
   --limits-conf=<value>
   --localuser
   --localuser-debug
   --localuser-file=<value>
   --make
   --make-debug
   --make-nosetuid
   --make-make=<value>
   --make-log=<value>
   --make-option=<value>
   --mkhomedir
   --mkhomedir-debug
   --mkhomedir-silent
   --mkhomedir-umask=<value>
   --mkhomedir-skel=<value>
   --nam
   --pkcs11
   --pkcs11-debug
   --pkcs11-configfile=<value>
   --pwcheck
   --pwcheck-debug
   --pwcheck-nullok
   --pwcheck-cracklib
   --pwcheck-no_obscure_checks
   --pwcheck-enforce_for_root
   --pwcheck-cracklib_path=<value>
   --pwcheck-maxlen=<value>
   --pwcheck-minlen=<value>
   --pwcheck-tries=<value>
   --pwcheck-remember=<value>
   --pwhistory
   --pwhistory-debug
   --pwhistory-use_authtok
   --pwhistory-enforce_for_root
   --pwhistory-remember=<value>
   --pwhistory-retry=<value>
   --pwhistory-type=<value>
   --selinux
   --selinux-debug
   --ssh
   --ssh-debug
   --ssh-nullok
   --ssh-try_first_pass
   --ssh-keyfiles=<value>
   --thinkfinger
   --thinkfinger-debug
   --umask
   --umask-debug
   --umask-silent
   --umask-usergroups
   --umask-umask=<value>
   --unix
   --unix-debug
   --unix-audit
   --unix-nodelay
   --unix-nullok
   --unix-shadow
   --unix-md5
   --unix-bigcrypt
   --unix-not_set_pass
   --unix-nis
   --unix-broken_shadow
   --unix-remember=<value>
   --unix2
   --unix2-nullok
   --unix2-debug
   --unix2-trace
   --unix2-none
   --unix2-call_modules=<value>
   --unix2-nisdir=<value>
   --winbind
   --winbind-debug

Dienst-spezifische Modul-Optionen:
      Diese Module können nur zu einzelnen Dienst-Dateien hinzugefügt werden.
   --ck_connector
   --ck_connector-debug
   --cryptpass
   --csync
   --csync-use_first_pass
   --csync-try_first_pass
   --csync-soft_try_pass
   --csync-nullok
   --csync-debug
   --csync-silent
   --lastlog
   --lastlog-debug
   --lastlog-silent
   --lastlog-never
   --lastlog-nodate
   --lastlog-nohost
   --lastlog-noterm
   --lastlog-nowtmp
   --lastlog-noupdate
   --lastlog-showfailed
   --loginuid
   --loginuid-require_auditd
   --mount


Posted by at 1 comment:
Labels: , ,

Oct 30, 2009

Password policies on debian linux: dcredit? pam_cracklib.so?

Ok, nearly everybody knows pam:
PAM = Pluggable Authentication Modules
The linux-pam homepage states "Basically, it is a flexible mechanism for authenticating users." But is there an easy way to enforce password policies within this pam mechanism?

It is not really difficult, if you know where to look:
Open /etc/pam.d/common-password (debian) and read
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
The two next two lines are:
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
and pam_cracklib.so can be installed via
apt-get install libpam-cracklib
At the first line add
dcredit=-4 lcredit=-2 ucredit=-1
This translates to dcredit=-4 (4 digits required), lcredit=-2 (2 letter lowercase required), ucredit=-1 (1 letter uppercase required). For a full list of parameters look here.
Posted by at No comments:
Labels: , ,

Oct 25, 2009

Offer or fraud? Marketing for blogs...

Last week i got the following mail:

Hello, my name is XXX YYYY and I am an internet marketing
specialist. I was looking at websites under the keyword system tools
and came across your website http://dietrichschroff.blogspot.com. I see that you're not ranked on the first page of Google for a system tools search.

I'm not sure if you're aware of why you're ranked this low but more importantly how easily correctable this is.

There's no reason you can't have a top three ranking for the keyword
system tools based on your site structure and content. You have a very
nice site.

You need significantly more one way anchor text backlinks. If you're interested I can help you with this...

I'm talking about getting you ranked for ALL your keywords. Adding new
backlinks on a steady and consistent basis from high PR quality
websites is what produces the rankings you are looking for http://dietrichschroff.blogspot.com.

The right kind of links are very critical in getting top ranking....and I can hand deliver these quality links to you.

My partners and I own 1000's websites and offer private linking to hundreds of website owners just like yourself.

I didn't send this email out to very many people but I am currently
reaching out to a list of your 'keyword competitors' as well. But I do
favor your website because I can see your website monetizing the
targeted website traffic the keyword system tools can deliver.

I have your contact information and phone number. Is it ok if I give you a call?

I have a very simple way to prove that what I do works and it's risk
free for you to try. Nothing beats seeing the results with your own eyes

Is it ok if I give you a call? I would love to pursue this further over the phone with you or should I go somewhere else?

Sincerely,

XXXX YYY
(aa) bb-cccccccc
www.url.com

P.S - If the tables were turned and somebody I didn't know came to me
with a proposition, even one that was appealing, I would be hesitant
because I would be wondering - what's the catch? What does this guy
know that I don't.

But then I would think he does know something that I don't know. He
does have thousands of high PR websites, he does have hundreds of
thousands of pages indexed and ranking in Google Yahoo and MSN. Sites
that can deliver the quality anchor text backlinks. I would also think
that I need to get my website in the top rankings. And he is offering
to turn key top rankings for me...on all my keywords including system
tools. Even keywords I'm not currently competing for. Keywords that
produce traffic that's potentially worth tens of thousands, hundreds of
thousands, millions of dollars.

I emailed you because It's a win -win for both of us. Think of it this
way - Who wouldn't be interested in buying money at a discount? Because
that's what I'll be able to do offer you...Money at a discount.

Is it Ok to give you a call? Or you can can call me anytime at the number above?
I am really stunned...
Is this the way to get high ranks for google searches?
If everybody starts this, the search engines will not provide useful links anymore ;-)

Posted by at 3 comments:
Labels: , ,

Oct 21, 2009

Searching for cpu capabilities? Look at /proc/cpuinfo...

Most of us know, that with
cat /proc/cpuinfo
the number of cpus, cpu speed, cpu model etc. can be found. But there is one interesting line which is called flags:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 13
model name : Intel(R) Pentium(R) M processor 1.73GHz
stepping : 8
cpu MHz : 1733.000
cache size : 2048 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss tm pbe bts est tm2
bogomips : 3457.11
clflush size : 64
Ok, the acronyms sound familiar. Here the outputs from some other cpus:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca sse4_1 sse4_2 popcnt lahf_lm ida
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts pni monitor ds_cpl cid xtpr
Hmmm. No flag like 64Bit or x64... How can this acronyms be decoded?
Let's ask the kernel sources!
There is one file inside the sources, where all this flags are defined:
arch/x86/include/asm/cpufeature.h
Here are the most interesting ones:
#define X86_FEATURE_HT (0*32+28) /* Hyper-Threading */
#define X86_FEATURE_LM (1*32+29) /* Long Mode (x86-64) */
#define X86_FEATURE_VMX (4*32+ 5) /* Hardware virtualization */
#define X86_FEATURE_PN (0*32+18) /* Processor serial number */
Just if you are not sure about installing 64Bit Linux, check for lm. And if ht is shown, you do not worry, can detect twice as much cores as there are, or if...
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)