Password security

The first point of security on any Linux system is the password. It is normally used by a wide range of programs, including any program that calls login, such as telnet and ftp.

If someone has obtained the root password, they have virtually unlimited access to the system. If an attacker obtains a user password, that can often be used as a launching pad into a more comprehensive attack on the security of a computer system.

1. Selecting good passwords

It is important that users choose passwords that are difficult to guess or crack. It is also important that they understand the reasons for a well-chosen password.

Some important points:

2. Checking passwords

Any good password program should check for trivial passwords, such as the user's name or words contained in /usr/dict/words.

There are a number of programs that can be used to check passwords. Some of the more useful programs are:

The fact that tools such as crack are available should encourage you to migrate to shadow passwords if your Linux distribution does not already support them.

3. Shadow passwords

Shadow passwords are an adjunct to the standard /etc/passwd file, with a file (/etc/shadow) that is only readable by root, containing the encrypted passwords.

This allows standard utilities access to the /etc/passwd file for information such as the user's UID or GID, but prevents users accessing the password field and feeding it into a password cracking program.

Redhat, by default, uses non-shadow passwords, but the password file is easily converted to use shadow passwords by using the pwconv tool.

4. Minimising root access

Most Linux distributions support /etc/securetty which specifies the pseudo-terminals that root can log in from.

For example, the following /etc/securetty file allows the user to log in from the console or tty1, which may be a terminal or modem line:


Users can still gain root access from pseudo-terminals that are not listed in /etc/securetty by logging in as a normal user and then using the su command, but it will stop a remote attacker who only has the root password.

5. PAM

The PAM (Pluggable Authentication Modules) project aims at providing customisable authentication to any program that requires it, without having to recompile the program.

This makes it easy to customise programs to use different methods of authentication, such as /etc/passwd, shadow passwords, S-Key or a security card reader.

Prev | Home | Next