Working with Linux Accounts and Password Policies

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Beginner

In this lab, we will learn how to configure Linux accounts and security policies. Specifically, we will set password requirements, configure account lockout settings, and create a temporary user account that will expire on a pre-determined date.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Working with Linux Accounts and Password Policies

Introduction

In this lab, we will learn how to configure Linux accounts and security policies. Specifically, we will set password requirements, configure account lockout settings, and create a temporary user account that will expire on a pre-determined date.

Setting Up the Environment

We will connect to our lab server using VNC. The IP address and login credentials are provided on the lab instructions page.

VNC connections will be different for each operating system.

For Mac users:

  1. Open Finder.
  2. Press Command + K on your keyboard to bring up the Connect to Server window.
    • Alternatively, expand Go in the menu at the top of the screen and click Connect to Server.
  3. In the Connect to Server window, connect to vnc://<IP_ADDRESS>:5901, making sure to replace <IP_ADDRESS> with the IP address you were provided on the lab instructions page.

Set Password Requirements on the Linux Host

Minimum Password Length

  1. Open your terminal application.
  2. Edit the password config file.
    sudo nano /etc/pam.d/common-password
  3. Enter your password at the prompt.
  4. Press Ctrl + W, and type "success" for the search term.
  5. At the end of the first uncommented line (line 25), add minlen=12 one space after sha512.
  6. Press Ctrl + X to exit the file.
  7. Type Y to save the changes, then press Enter.

Minimum and Maximum Password Age

  1. From your terminal application, edit the login defaults file.
    sudo nano /etc/login.defs
  2. Press Ctrl + W, and enter "99999" for the search term.
  3. Under Password aging controls, configure the following settings:
    • PASS_MAX_DAYS: 180
    • PASS_MIN_DAYS: 3
  4. Press Ctrl + X to exit the file.
  5. Type Y to save the changes, then press Enter.

Configure the Account Lockout Settings

Change the Login Failure Policy

  1. Edit the common authentication file.
    sudo nano /etc/pam.d/common-auth
  2. Scroll down to the first non-commented line, and add the following on a new line:
    auth required pam_tally2.so onerr=fail deny=3 unlock_time=600 audit
  3. Press Ctrl + X to exit the file.
  4. Type Y to save the changes, then press Enter.

Test the Login Failure Settings

  1. Run the following command:
    ssh cloud_user@127.0.0.1
  2. Type yes to accept the certificate.
  3. Enter an incorrect password five times at the prompt.
  4. You should receive a message that says "Permission denied, please try again."
  5. Run the following command to check the status of your account:
    su - cloud_user
  6. You should receive a message that says "Account locked due to 5 failed logins."

Create a Temporary User Account

  1. Create a temporary user account.
    sudo adduser contractor1
  2. Provide a password for the account at the prompt.
  3. Set the user account to expire in one week (remember to replace <MM/DD/YYYY> with the date a week from today).
    sudo chage -E "<MM/DD/YYYY>" contractor1
  4. Verify that the account expiration is configured correctly.
    sudo chage -l contractor1

Conclusion

Congratulations, you've successfully completed this hands-on lab!