Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.
Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall.
Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the TAR ball after the packager creates it.
Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.
The cracklib package contains a library used to enforce strong passwords by comparing user selected passwords to words in a chosen wordlist.
Download (HTTP): http://www.crypticide.com/users/alecm/security/cracklib,2.7.tar.gz
Download size: 21 KB
Estimated Disk space required (with cracklib wordlist): 17 MB
Estimated build time: 0.10 SBU
You will also need to download a wordlist for use with cracklib. There are two wordlists to choose from at the following location. Use the cracklib word list for good security, or opt for the allwords word list for lightweight machines short on RAM. You can of course choose any other word list that you have at your disposal.
cracklib (15.6MB): http://www.cotse.com/wordlists/cracklib
allwords (466KB): http://www.cotse.com/wordlists/allwords
First, we need to install the chosen word list for cracklib:
install -d -m755 /usr/share/dict && install -m644 [wordlist] /usr/share/dict && ln -sf [wordlist] /usr/share/dict/words && echo $(hostname) >> /usr/share/dict/extra.words
Our wordlist is linked to /usr/share/dict/words as historically, words is the primary wordlist in the /usr/share/dict directory. We also echo the value of hostname to a file called extra.words. This extra file is intened to be a site specific list which includes easy to guess passwords such as company or department name, user's names, product names, computer name, domain name, etc.
Now apply BLFS patch:
patch -Np1 -i ../cracklib,2.7-blfs-1.patch
If necessary, apply the heimdal patch:
cp -R cracklib cracklib_krb5 && patch -Np1 -i ../cracklib,2.7-heimdal-1.patch
Finally install the package:
The cracklib package contains the libcrack library.