password restrictions, multiple users

[sabre]

Good day all -

a newcomer both here and to linux, so be gentle

There are a lot of accounts already setup. None of them have password restrictions, such as alpha-numeric, expiration dates - the usual.

I've done some reading and see that passwd or usermod would probably set these, but I want to do it for all existing users at once.

And I'd also like to set some sort of system policy that will force these settings onto any future account.

Any ideas? Thanks.

[Outlaw]

Something like this will enforce strong passwords and number of bad passwords until account lock

/etc/pam.d/system-auth (Redhat)

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/$ISA/pam_pwdb.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_pwdb.so
account     required      /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset


password    required      /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 type=
password    sufficient    /lib/security/$ISA/pam_pwdb.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_pwdb.so

Something like this will set password expire, warning etc for new users added

/etc/login.defs (Redhat)

Code:

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS  90
PASS_MIN_DAYS  15
PASS_MIN_LEN   8
PASS_WARN_AGE  10

Some timeouts (same file)

Code:

LOGIN_RETRIES  5
FAIL_DELAY     4

To change existing users, you'll have to script something that either does a usermod for all users above a certain UID OR script something that edits /etc/shadow to look like this for users above XXX UID.

Code:

user:PASS-HASH:13243:15:90:10:14:-1:-1

[Schotty]

Outlaw is right.

Another option if you want to do a mass passwd type command is to script up that into a bash script to do the real work.

(untested example but should work assuming each user has its own /home/ account)

for $i in 'ls /home/';
do passwd blahblahparameters $i
done

[sabre]

Thank you Sir.

[Schotty]

So how did it go, and what did you do that worked?

[sabre]

When I said I was a newbie, I wasn't kidding. I had to learn how to write a bash script, and now I have one that will generate a clean list of users. I'm going to take that and use the for /do passwd blah blah $i/done idea that you gave me.

This stuff reminds me a lot of DOS, if any of you ever used it back in the days when windows didn't exist :-)

[Schotty]

I knew a guy who introduced me to BBSes back in the day who regularly got into competitions of batch file creation. From games to utilites that were purely batch files. Quite interesting, and exactly what BASH can do too. BASH is though a bit more refined I think.

Glad that that tip helped. Just curious as to what fixed your woes Glad the forums were helpful. Stay here, and you will get anwers to most of your hurdles if not all of them.