S 4.14 Mandatory password protection under Unix
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The password protection for every account on a Unix computer ensures that only an authorised user is able to log in using his/her login name by authentication of the user through entering of a password after entering the login name.
When using passwords for users and groups, the rules described in S 2.11 Provisions governing the use of passwords must be observed. It must be noted that only a limited number of characters is taken into consideration during the password verification for some systems. In order to implement these safeguards, only program versions of passwd ensuring that these rules are complied with or administrative safeguards, e.g. Shell scripts and corresponding cron entries, should be used.
As another alternative, the default Unix command passwd may also be replaced by other password programs with advanced functionalities. These also include the public domain programs anlpasswd, npasswd, and passwd+which verify the quality of the newly selected password when it is changed by the user and reject it if it is too weak: They are available via the FTP server ftp://ftp.cert.dfn.de/pub/tools/password/, for example
The passwords must not be stored to the generally readable /etc/passwd file, but to a shadow password file that cannot be read by the users. Each newer Unix system includes this shadow option, but it unfortunately is not always enabled upon initial installation (for example, the use of the shadow password file must be enabled by the pwconv command in RedHat Linux upon default installation).
The /etc/passwd file must be checked for user identifiers without a password at regular intervals. If such an identifier is found, the user must be disabled. If mandatory passwords have been agreed for groups, the /etc/group must be checked accordingly. However, it is recommendable to not assign any passwords to groups and to only include as low a number of users for each group as possible. This facilitates switching between groups the user is registered for and unauthorised switching by systematically trying passwords is prevented with the help of the corresponding programs.
All logins, particularly those with UID 0, should be checked regularly regarding the presence and the quality of passwords (see also S 2.11 Provisions governing the use of passwords and S 4.26 Regular security checks of Unix systems). Along with the programs described in S 4.26 Regular security checks of Unix systems, these logins may also be determined with the help of
- awk -F: '{if ($3=="0") print $1}' /etc/passwd
- awk -F: '{if ($2=="") print $1}' /etc/passwd,
for example.
Review questions:
- Is it ensured that all accepted characters are taken into consideration during password check?
- Are weak passwords rejected by the IT system?
- Have the passwords been stored to a shadow password file the users cannot read?
- Is the /etc/passwd file regularly checked for user identifiers without password?