The default settings applied to system login are based on what Red Hat deems basic security. If, for some reason, you want to change this, this recipe will show you a couple of examples. Authconfig has two tools that you can use to configure authentication: authconfig
and authconfig-tui
.
These two tools configure pam
for you in such a way that the changes are consistent throughout rpm updates.
The authconfig-tui
tool is not as feature-rich as the plan authconfig
tool, which I personally recommend you to use as it allows you to do more.
You can manually edit the files located in /etc/pam.d
if and when you know what you're doing, but this is not recommended.
Perform the following steps:
First, change the hash encryption of the passwords stored in /etc/shadow
to sha512
, as follows:
~]# authconfig --passalgo=sha512 --update
Enable NIS authentication through the following command:
~]# authconfig --enablenis –nisdomain=NISDOMAIN --nisserver=nisserver.example.com --update
Now, set the minimum length requirement for passwords to 16
via the following:
~]# authconfig --passminlen=16 --update
The user requires at least one lowercase letter in the password; you can set this requirement by running the following:
~]# authconfig --enablereqlower --update
Also, the user requires at least one uppercase letter in the password, for which you can run the following:
~]# authconfig --enablerequpper --update
Now, the user requires at least one number in the password. Execute the following command for this:
~]# authconfig --enablereqdigit --update
Finally, the user requires at least one nonalphanumeric character in the password, which you can set using the following command:
~]# authconfig --enablereqother --update
authconfig
and authconfig-tui
are wrapper scripts that modify a variety of files, including, but not limited to, /etc/nsswitch.conf
, /etc/pam.d/*
, /etc/sssd.conf
, /etc/openldap/ldap.conf
, and /etc/sysconfig/network
.
The advantage of the tool is that it uses the correct syntax, which can sometimes be a little tricky, especially for the files in /etc/pam.d
.
One of the interesting features of this tool is the backup and restore functions. In case you do not use any centralized identification and authentication infrastructure, such as IPA, you can use this to make a backup of a correctly configured machine and distribute this through whichever means you wish to use.
To back up your authconf
configuration, execute the following:
~]# authconfig --savebackup=/tmp/auth.conf
This will create a /tmp/auth.conf
directory, which contains all the files modified by authconfig
.
Copy this directory over to another server and restore the configuration by executing the following:
~]# authconfig –-restorebackup=/tmp/auth.conf
All of the security changes you apply through authconfig
can also be managed through IPA.
For information about and more configuration options, take a look at the authconfig (8) man pages.
You can also find more information on Red Hat's page on authentication at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Authentication.html.