Security

Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.

Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall.

Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the TAR ball after the packager creates it.

Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.

cracklib-2.7

Introduction to cracklib

The cracklib package contains a library used to enforce strong passwords by comparing user selected passwords to words in a chosen wordlist.

Package information

Additional downloads

You will also need to download a wordlist for use with cracklib. There are two wordlists to choose from at the following location. Use the cracklib word list for good security, or opt for the allwords word list for lightweight machines short on RAM. You can of course choose any other word list that you have at your disposal.

cracklib (15.6MB): http://www.cotse.com/wordlists/cracklib

allwords (466KB): http://www.cotse.com/wordlists/allwords

Installation of cracklib

First, we need to install the chosen word list for cracklib:

install -d -m755 /usr/share/dict &&
install -m644 [wordlist] /usr/share/dict &&
ln -sf [wordlist] /usr/share/dict/words &&
echo $(hostname) >> /usr/share/dict/extra.words

Our wordlist is linked to /usr/share/dict/words as historically, words is the primary wordlist in the /usr/share/dict directory. We also echo the value of hostname to a file called extra.words. This extra file is intened to be a site specific list which includes easy to guess passwords such as company or department name, user's names, product names, computer name, domain name, etc.

Now apply BLFS patch:

patch -Np1 -i ../cracklib,2.7-blfs-1.patch

If necessary, apply the heimdal patch:

cp -R cracklib cracklib_krb5 &&
patch -Np1 -i ../cracklib,2.7-heimdal-1.patch

Finally install the package:

make install

Contents

The cracklib package contains the libcrack library.

Description

libcrack library

The libcrack library provides a fast dictionary lookup method for strong password enforcement.