[techtalk] password policy?

Julie jockgrrl at austin.rr.com
Tue Jun 19 21:26:18 EST 2001 

Martin.Caitlyn at epamail.epa.gov wrote:
> 
> Hi, Nicole,
> 
> > Will I have to do this for every username? Yes I can write a script
> (which
> > I have done a lot of lately), but if there is an easy way to do it
> > automatically that would be nice :o)
> 
> Hmmm... I never checked into that.  I always just did it as accounts got
> created.  I never had to do a mass conversion.  Julie is on this list, and
> she wrote the thing, so maybe she could answer the question better, but I
> don't think chage accepts wildcards at all.  A bash script for this
> shouldn't be too hard to cook up, though.

Yes, you have to do it for each and every user.  This is why the
Goddess invented awk and xargs.

You can set the expiry length with a useradd default -- look at the
-D option to useradd.  The -W option to chage unfortunately has no
counterpart in useradd (or usermod).  If I was doing it all over
again I'd have added that option.  For anything else, read the man
pages -- that's what I just did ;-)  The "chage" man page is probably
worth a read as many admins don't seem to know the command even
exists as it's unique to Shadow (and thus, unique to Linux w.r.t.
the commercial OSes).

Speaking of Shadow, does anyone know where the maintainer is these
days?  This exchange has me thinking that adding a "-w" flag is a
Really Good Idea.

> > I'll have to dig up more on cracklib for appropriate use to meet/exceed
> > the windows policy.
> 
> That link I sent in the last message I posted really does cover it in great
> detail.  I expect you'll find everything you need there.

It's been a while since Alec and I chatted, but back when CrackLib
was included in with Shadow, it could do most of what's been
described vis a vis password construction rules.

ObCrackStory -- Five or six years ago I was tasked with enforcing
IBM's password security rules.  I'd very politely asked the 300 or
so people who were using a server farm I administered to please
comply and gave them something like a month or so to do it.  After
that time was up I built a password file containing every user on
every system I administered and then pointed Crack at it on the
fastest machine I had (which I think was an IBM RS/6000 Model 990
at the time).  The next day I went back and found that about 1/3rd
of all the accounts had crackable passwords.  They were all sent
very nice letters.  Some of the letters I got back weren't so
nice, however ;-) 
-- 
  8:50pm  up 21:27,  4 users,  load average: 3.10, 1.54, 0.70

More information about the Techtalk mailing list