Oct 31, 2009

Password policies: enforcing digits/uppercase letters using pam-config

Since my last posting about password policies on debian, i got several mails with the following question:
How to configure pluggable authentication modules (pam) with the command pam-config?
This is neccesary because some linux distributions add the following header on all files inside /etc/pam.d/:
# This file is autogenerated by pam-config. All changes
# will be overwritten.
Running pam-config --help shows 155 lines. For newbies this is completely unreadable. Querying the net with google gives the manpage but no examples...
So let's start.
To get the actual password check method run the following command:
# pam-config -q --pwcheck
password: nullok cracklib
This was easy. So just add am ucredit-rule:
# pam-config -a --cracklib-ucredit=-2 --cracklib
INFO: pam_pwcheck.so und pam_cracklib.so aktiviert,
INFO: nur pam_pwcheck.so mit aktivierter Cracklib-Unterstützung wird benutzt.
Hmm. pwcheck has to be removed. Not really difficult:
# pam-config -d --pwcheck
After that, retry  the command with ucredit:
# pam-config -a --cracklib-ucredit=-2 --cracklib
And how can you check, that it has really worked?
# pam-config -q --cracklib
password: ucredit=-2
Here the complete reference of pam-config:
 # pam-config --help
Anwendung: pam-config -a|-c|-d [...]
pam-config - Erstelle PAM-Konfigurationsdateien.

  -a, --add         Füge Optionen/PAM-Module hinzu.
  -c, --create      Erstelle neue Konfiguration.
  -d, --delete      Entferne Optionen/PAM-Module.
      --confdir     Benutze ein benutzerdefiniertes Konfigurations-Verzeichnis
      --initialize  Konvertiere alte Konfiguration and erstelle neue.
      --service config  Dienst zum modifizieren der Konfiguration von
      --update      Lese momentane Konfiguration und schreibe sie neu
  -q, --query       Anfrage für installierte Module und Optionen
      --list-modules Zeige alle unterstützten Module
      --help        Gibt diese Hilfeliste aus
  -u, --usage       Gibt eine kurze Gebrauchsanweisung aus
  -v, --version     Ausgabe der Programmversion

Globale Modul-Optionen:
      Die globalen Module werden eingesetzt in die
      common-{account,auth,password,session}-Dateien, welche in den einzelnen
      Dateien der Dienste beinhaltet sind.
   --apparmor
   --apparmor-debug
   --ccreds
   --cracklib
   --cracklib-debug
   --cracklib-type=<value>
   --cracklib-retry=<value>
   --cracklib-difok=<value>
   --cracklib-difignore=<value>
   --cracklib-minlen=<value>
   --cracklib-dcredit=<value>
   --cracklib-ucredit=<value>
   --cracklib-lcredit=<value>
   --cracklib-ocredit=<value>
   --cracklib-minclass=<value>
   --cracklib-dictpath=<value>
   --env
   --env-debug
   --env-conffile=<value>
   --env-envfile=<value>
   --env-readenv=<value>
   --fp
   --fp-debug
   --gnome_keyring
   --gnome_keyring-auto_start
   --gnome_keyring-auto_start_if=<value>
   --group
   --krb5
   --krb5-debug
   --krb5-ignore_unknown_principals
   --krb5-minimum_uid=<value>
   --ldap
   --ldap-debug
   --limits
   --limits-debug
   --limits-change_uid
   --limits-utmp_early
   --limits-conf=<value>
   --localuser
   --localuser-debug
   --localuser-file=<value>
   --make
   --make-debug
   --make-nosetuid
   --make-make=<value>
   --make-log=<value>
   --make-option=<value>
   --mkhomedir
   --mkhomedir-debug
   --mkhomedir-silent
   --mkhomedir-umask=<value>
   --mkhomedir-skel=<value>
   --nam
   --pkcs11
   --pkcs11-debug
   --pkcs11-configfile=<value>
   --pwcheck
   --pwcheck-debug
   --pwcheck-nullok
   --pwcheck-cracklib
   --pwcheck-no_obscure_checks
   --pwcheck-enforce_for_root
   --pwcheck-cracklib_path=<value>
   --pwcheck-maxlen=<value>
   --pwcheck-minlen=<value>
   --pwcheck-tries=<value>
   --pwcheck-remember=<value>
   --pwhistory
   --pwhistory-debug
   --pwhistory-use_authtok
   --pwhistory-enforce_for_root
   --pwhistory-remember=<value>
   --pwhistory-retry=<value>
   --pwhistory-type=<value>
   --selinux
   --selinux-debug
   --ssh
   --ssh-debug
   --ssh-nullok
   --ssh-try_first_pass
   --ssh-keyfiles=<value>
   --thinkfinger
   --thinkfinger-debug
   --umask
   --umask-debug
   --umask-silent
   --umask-usergroups
   --umask-umask=<value>
   --unix
   --unix-debug
   --unix-audit
   --unix-nodelay
   --unix-nullok
   --unix-shadow
   --unix-md5
   --unix-bigcrypt
   --unix-not_set_pass
   --unix-nis
   --unix-broken_shadow
   --unix-remember=<value>
   --unix2
   --unix2-nullok
   --unix2-debug
   --unix2-trace
   --unix2-none
   --unix2-call_modules=<value>
   --unix2-nisdir=<value>
   --winbind
   --winbind-debug

Dienst-spezifische Modul-Optionen:
      Diese Module können nur zu einzelnen Dienst-Dateien hinzugefügt werden.
   --ck_connector
   --ck_connector-debug
   --cryptpass
   --csync
   --csync-use_first_pass
   --csync-try_first_pass
   --csync-soft_try_pass
   --csync-nullok
   --csync-debug
   --csync-silent
   --lastlog
   --lastlog-debug
   --lastlog-silent
   --lastlog-never
   --lastlog-nodate
   --lastlog-nohost
   --lastlog-noterm
   --lastlog-nowtmp
   --lastlog-noupdate
   --lastlog-showfailed
   --loginuid
   --loginuid-require_auditd
   --mount



Oct 30, 2009

Password policies on debian linux: dcredit? pam_cracklib.so?

Ok, nearly everybody knows pam:
PAM = Pluggable Authentication Modules
The linux-pam homepage states "Basically, it is a flexible mechanism for authenticating users." But is there an easy way to enforce password policies within this pam mechanism?

It is not really difficult, if you know where to look:
Open /etc/pam.d/common-password (debian) and read
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
The two next two lines are:
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
and pam_cracklib.so can be installed via
apt-get install libpam-cracklib
At the first line add
dcredit=-4 lcredit=-2 ucredit=-1
This translates to dcredit=-4 (4 digits required), lcredit=-2 (2 letter lowercase required), ucredit=-1 (1 letter uppercase required). For a full list of parameters look here.

Oct 25, 2009

Offer or fraud? Marketing for blogs...

Last week i got the following mail:

Hello, my name is XXX YYYY and I am an internet marketing
specialist. I was looking at websites under the keyword system tools
and came across your website http://dietrichschroff.blogspot.com. I see that you're not ranked on the first page of Google for a system tools search.

I'm not sure if you're aware of why you're ranked this low but more importantly how easily correctable this is.

There's no reason you can't have a top three ranking for the keyword
system tools based on your site structure and content. You have a very
nice site.

You need significantly more one way anchor text backlinks. If you're interested I can help you with this...

I'm talking about getting you ranked for ALL your keywords. Adding new
backlinks on a steady and consistent basis from high PR quality
websites is what produces the rankings you are looking for http://dietrichschroff.blogspot.com.

The right kind of links are very critical in getting top ranking....and I can hand deliver these quality links to you.

My partners and I own 1000's websites and offer private linking to hundreds of website owners just like yourself.

I didn't send this email out to very many people but I am currently
reaching out to a list of your 'keyword competitors' as well. But I do
favor your website because I can see your website monetizing the
targeted website traffic the keyword system tools can deliver.

I have your contact information and phone number. Is it ok if I give you a call?

I have a very simple way to prove that what I do works and it's risk
free for you to try. Nothing beats seeing the results with your own eyes

Is it ok if I give you a call? I would love to pursue this further over the phone with you or should I go somewhere else?

Sincerely,

XXXX YYY
(aa) bb-cccccccc
www.url.com

P.S - If the tables were turned and somebody I didn't know came to me
with a proposition, even one that was appealing, I would be hesitant
because I would be wondering - what's the catch? What does this guy
know that I don't.

But then I would think he does know something that I don't know. He
does have thousands of high PR websites, he does have hundreds of
thousands of pages indexed and ranking in Google Yahoo and MSN. Sites
that can deliver the quality anchor text backlinks. I would also think
that I need to get my website in the top rankings. And he is offering
to turn key top rankings for me...on all my keywords including system
tools. Even keywords I'm not currently competing for. Keywords that
produce traffic that's potentially worth tens of thousands, hundreds of
thousands, millions of dollars.

I emailed you because It's a win -win for both of us. Think of it this
way - Who wouldn't be interested in buying money at a discount? Because
that's what I'll be able to do offer you...Money at a discount.

Is it Ok to give you a call? Or you can can call me anytime at the number above?
I am really stunned...
Is this the way to get high ranks for google searches?
If everybody starts this, the search engines will not provide useful links anymore ;-)

Oct 21, 2009

Searching for cpu capabilities? Look at /proc/cpuinfo...

Most of us know, that with
cat /proc/cpuinfo
the number of cpus, cpu speed, cpu model etc. can be found. But there is one interesting line which is called flags:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 13
model name : Intel(R) Pentium(R) M processor 1.73GHz
stepping : 8
cpu MHz : 1733.000
cache size : 2048 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss tm pbe bts est tm2
bogomips : 3457.11
clflush size : 64

Ok, the acronyms sound familiar. Here the outputs from some other cpus:
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr dca sse4_1 sse4_2 popcnt lahf_lm ida
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts pni monitor ds_cpl cid xtpr
Hmmm. No flag like 64Bit or x64... How can this acronyms be decoded?
Let's ask the kernel sources!
There is one file inside the sources, where all this flags are defined:
arch/x86/include/asm/cpufeature.h
Here are the most interesting ones:
#define X86_FEATURE_HT (0*32+28) /* Hyper-Threading */
#define X86_FEATURE_LM (1*32+29) /* Long Mode (x86-64) */
#define X86_FEATURE_VMX (4*32+ 5) /* Hardware virtualization */
#define X86_FEATURE_PN (0*32+18) /* Processor serial number */
Just if you are not sure about installing 64Bit Linux, check for lm. And if ht is shown, you do not worry, can detect twice as much cores as there are, or if...

Oct 16, 2009

Batch processing: ssh access to multiple servers without ssh-keys

It is always the same: You are used to a technique like
  • accessing server via ssh with ssh-keys
But in some environments you are not allowed or you just don't want to put your authorized_keys to the servers, which you want to access. But how to automate logins to this servers?
  1. Poor man's approach
    buffer the password and use the middle button on your mouse, each time the script asks for the password.
    This works, but this is only "semi-automatic"
  2. Use expect
    With this tool it is very easy to automate logins without using ssh-keys. Just write a script auto.ssh.sh like this:
#!/usr/bin/expect
spawn ssh -l root $argv
expect "Password: "
send "mypassword\n"
expect "#";
send "date\n";
expect "#";
send "exit\n";
This script can be called with a parameter (here IP or hostname) and executes the date command on the server. Now just write a loop:
for server in 10.0.0.1 10.0.0.2 10.0.0.3; do ./auto.ssh.sh $server; done
And you are done...
(But this is not so secure like using ssh-keys!)

Oct 14, 2009

Bash history for multiple shells...

Did you ever configure something and after a while you were not able to remember the exact syntax for the command?
If you used the bash shell, then the command history was your friend:
history|grep <part of command>
and you got everytime the line with the right command back.
Everytime? Hmm no. Sometimes the command did not show up in the history. First guess:
HISTFILESIZE
was not big enough, but there is another option for missing entries:
If you work with multiple shells at the same time, then the history will be (over)written by closing the last shell.
But this can be avoided:
After adding the following to your .bashrc, you will never miss an entry again ;-):
shopt -s histappend
For more information of shopt take a look here.

Oct 1, 2009

Linux: hash algorithms for passwords inside /etc/shadow

You read the headline and you are sure that this is easy to answer?
I was thinking the same: Just a MD5-hash inside this /etc/shadow file.

But this is not true anymore:
You can use several hash algorithms inside /etc/shadow like
  • MD5
  • blowfish
  • DES
  • SHA-256
  • SHA-512
Inside /etc/shadow you can see the following:
schroff:$1$<String1>$<String2>:0:99999:7:::
$1$ stays for MD5, $2a$ for blowfish, $5$ for SHA-256, $6$ for SHA-512. The <String1> contains a salt and <String2> the hashed password.
The other values can be easily interpreted (and changed) with the following command:
schroff@hades:$ chage -l schroff
Letzte Passwortänderung : Feb 01, 2009
Passwort läuft ab : nie
Passwort inaktiv : nie
Benutzerzugang läuft ab : nie
Minimale Anzahl der Tage zwischen Passwortänderungen : 0
Maximale Anzahl der Tage zwischen Passwortänderungen : 99999
Anzahl Tage, an denen vor Passwortablauf gewarnt wird : 7
And where can the hash algorithm be changed? This depends on the linux you are using:
  • /etc/pam.d/common-password (Debian)
  • /etc/default/password (SUSE/Novell)
Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):
echo "mypasswd" | makepasswd --crypt-md5
$1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.

But this will not work via copy and paste inside /etc/shadow ;-(
To change password via script some linux distribution can use:
echo oracle:mypasswd | chpasswd

or
echo -n mypasswd | passwd --stdin oracle