DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Administering user accounts

Controlling password selection

Password selection constraints give the administrator these capabilities:

Allowing accounts without passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

To permit a user to log in without a password, set Password Required to No. Accounts without passwords are a major security risk. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdNullAllowed value}"

where value is either 1 (no password required) or 0 (a password is required).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.


WARNING: Removing the requirement for passwords does not delete existing passwords. The administrator must change each password as described in ``Setting or changing a user password'' and set the password to blank, or use the passwd(C) command line.

Preventing users from changing their passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set User can choose own to No. Users will then have to get passwords from the accounts administrator when their passwords expire, or the password generator will create them. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdChooseOwn value}"

where value is either 1 (users can choose their own password) or 0 (a password is supplied by the administrator or the password generator).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Allowing users to generate passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

You can choose to have the system generate passwords automatically for users. This guards against users picking ``obvious'' passwords that a knowledgeable intruder could guess, given some personal facts about the user.

To permit users to generate (but not choose) a new password, set User can run generator to Yes. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdRunGenerator value}"

where value is either 1 (the user can run the generator) or 0 (the user cannot).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Restricting password obviousness

An important part of password control is ensuring that passwords are difficult to guess without being too complex to remember. You can prevent users from using passwords that are too easy to guess, like dictionary words or system names.

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set Check for Obviousness to Yes to run complex checks on passwords. The meaning of Yes and No varies with the security profile level chosen. To use the system default value, set it to Default. The meaning can also be set independent of the security profile as described in ``Customizing password checking''.

To change the system default value, use this command line:

usermod -D -x "{passwdCheckedForObviousness value}"

where value is either 1 (use complex checks) or 0 (use less restrictive checks).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Password checking by security profile

Security Check for Obviousness
Defaults No Yes
Low - -
Traditional System V System V-plus
Improved/High goodpw weak goodpw strong

System V (traditional UNIX System V checking) checks that a password:


System V-plus (System V with additions) checks that a password is:

goodpw weak checks that a password does:

goodpw strong (goodpw weak plus additional checks) checks that a password:


The goodpw(ADM) checks are defined in the /etc/default/goodpw file and supplemented or modified by files in the /usr/lib/goodpw directory. Refer to ``Customizing password checking'' for more information.


NOTE: Obviousness checking will prevent certain penetrations based on dictionary checking, but such repeated break-in attempts are better controlled with login limits -- see ``Setting login restrictions on terminals''. Obviousness checks increase the time required to change a password.

For information on using the command line interface, see the usermod(ADM) manual page.

Customizing password checking

The goodpw(ADM) utility also allows you to customize password checking. The file /etc/default/goodpw contains the password control settings. These settings allow you to specify if passwords are checked against dictionary words, word rotations, and user, group, and system names.


NOTE: Password checking can also be set by editing /etc/default/passwd and changing the value of GOODPW as follows:

YES use goodpw
NO use standard UNIX system checking
NONE perform no password checking


You can also define regular expressions (character combinations and arrangements) that all passwords must match (or not match) with the files /usr/lib/goodpw/match and /usr/lib/goodpw/reject, respectively. See goodpw(ADM) for more information.

Setting password length

Password length is controlled by three parameters:

The maximum length of non-generated passwords is 80 characters.

To reconfigure the minimum length, change the value of PASSLENGTH in /etc/default/passwd. If PASSLENGTH is removed from the file or is set to an asterisk (PASSLENGTH=*), the value is calculated by the system; see ``Restricting password obviousness'' for more information.

You can configure the generated length for individual users with the Account Manager. Select a user name, then select Password Restrictions from the Users menu, then select Selection.

To change the system default value, use this command line:

usermod -D -x "{passwdGeneratedLength value}"

where value has a maximum value of 80.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

See also:


Next topic: Setting passwords for dial-in lines
Previous topic: Controlling password expiration

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003