Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual page 635

passwords, they can use the command line application passwd, which is Pluggable Authentication
Manager (PAM) aware and therefore checks to see if the password is too short or otherwise easy
to crack. This check is performed using the pam_cracklib.so PAM module. Since PAM is
customizable, it is possible to add more password integrity checkers, such as pam_passwdqc
(available from http://www.openwall.com/passwdqc/) or to write a new module. For a list of available
PAM modules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html. For more information
Section 43.4, "Pluggable Authentication Modules
about PAM, refer to
The password check that is performed at the time of their creation does not discover bad passwords
as effectively as running a password cracking program against the passwords.
Many password cracking programs are available that run under Red Hat Enterprise Linux, although
none ship with the operating system. Below is a brief list of some of the more popular password
cracking programs:
Note
None of these tools are supplied with Red Hat Enterprise Linux and are therefore not
supported by Red Hat, Inc. in any way.
• John The Ripper — A fast and flexible password cracking program. It allows the use of multiple
word lists and is capable of brute-force password cracking. It is available online at
www.openwall.com/john/.
• Crack — Perhaps the most well known password cracking software, Crack is also very fast, though
not as easy to use as John The Ripper. It can be found online at http://www.openwall.com/john/.
• Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run on
multiple computers simultaneously, creating a distributed password cracking attack. It can be
found along with a number of other distributed attack security evaluation tools online at
www.ussrback.com/distributed.htm.
Warning
Always get authorization in writing before attempting to crack passwords within an
organization.
43.1.3.2.2. Password Aging
Password aging is another technique used by system administrators to defend against bad passwords
within an organization. Password aging means that after a specified period (usually 90 days), the user
is prompted to create a new password. The theory behind this is that if a user is forced to change
his password periodically, a cracked password is only useful to an intruder for a limited amount of
time. The downside to password aging, however, is that users are more likely to write their passwords
down.
There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the
chage command or the graphical User Manager (system-config-users) application.
The -M option of the chage command specifies the maximum number of days the password is valid.
For example, to set a user's password to expire in 90 days, use the following command:
Password Security
(PAM)".
http://
http://
609