[CentOS] Re: About strongs passwords! -- PAM

Bryan J. Smith <b.j.smith@ieee.org>

thebs413 at earthlink.net
Fri May 13 16:02:55 UTC 2005


From: israel.garcia at cimex.com.cu
> 1.  My users have to work on the shell because, they run a C++
> scritp to work in tha database..

If it's just 1 or 2 scripts, consider limiting access to programs with another
shell and/or a web or other front-end that only lets them launch a specific
process.

> 2. So I want to force my users to pick a strong password.. Is there some
> command, tool to do this?

Actually, modifying PAM rules are highly recommended for this.
So it not only does it for a single program, but all programs that change
the password.

But ideally, you should consider _not_ using passwords for SSH.
You should enable either public key authentication or Kerberos.
It increases security ten-fold because the actual communication
sent is a challenge -- i.e., a one-time, random password that is
not good ever again.

In the case of public key authentication, you'll want to use passphrases,
and enforce strong rules on those.  The passphrases protect the
private key on the client, which you never want to store whole.
You'll need to research how to enforce that with "ssh-keygen" and the
local "/etc/ssh/*config*" on each system where they are using
the SSH client.

If you're really anal, you can use smart cards.  Then no system ever
has even the private key.  It's actually easier to setup for SSH than
most people think.



--
Bryan J. Smith   mailto:b.j.smith at ieee.org




More information about the CentOS mailing list