Publications

Password and Login Policy

Never Send Passwords In Clear Text Over The Network (RSU)

As a general rule no protocol that transmits unencrypted authentication data over a network should be used. Examples of insecure protocols are telnet, ftp and the r* tools. All modern Unix and Linux systems ship with secure alternatives as default and either no longer contain legacy tools or require manual intervention to enable legacy protocols.

Where legacy applications demand use of insecure protocols, they should be armoured by using tcp_wrappers or iptables (or similar) to restrict the communication to only designated known "safe" systems. Interactive use by users should be avoided at all times, minimising the risk associated with transmission of authentication data over unsecured channels.

Constant Policy Across Systems (RSU)

"A networked environment is only as secure as it's weakest component."

Because of implicit trust relationships between different classes of system, for example development, quality assurance and production servers and commonality of their implementation, it is unwise to allow insecure policies and practices on some low priority systems, as a compromise of a low priority system may lead to the easy compromise of a high priority system.

In general it is also easier and safer to use one secure suite of tools when dealing with all systems, than two or more different families of tools for each class of system. A single policy standard is easier to use and less error prone than a set of multiple policies.

Disable Or Lock Unused System Accounts (S)

Most legacy Unix and some early Linux system ship with many system accounts enabled and remotely accessible. If the service is not required it should not be installed and the corresponding account deleted. If the service is required, where possible the account associated with the service should be locked or disabled from login.

Do Not Allow Remote Login For The Root User (R)

As a general rule there is no requirement to ever remote login as the super user. Remote root login should be disabled by default - even when using secure login and users should login as normal users and change to the root user as required. Remote root login is disabled by default on many modern Linux systems.

root_squash should be enabled on NFS, preventing root on one system behaving as root on a remote file system. nosuid should be enabled on NFS preventing remote files from running with root privileges on local systems.

Protect NFS At Both The Client And Server Side (RU)

There is no security in the NFSv3 protocol at all and it is not mandatory in NFSv4. The client system mounts the remote file system without verifying that the remote system is the correct one. The server system allows the remote system to modify it's file system without checking that it is the correct one, or attempting to verify the authenticity of the remote user. For this protocol to function at all it is essential that users have exactly the same UID and GID numbers, which normally requires a NIS or LDAP server, though it is possible to maintain by hand.

Modern Linux and Unix systems now run with sane defaults but it is still advisable to protect components of the NFSv3 system with tcp_wrappers and/or iptables as the built-in security is too weak to be relied upon. If running NFSv4, the Kerberos component provides good security if correctly configured.

Sound Password Policy (RU)

"Passwords should be easy to remember and hard to guess."

Most modern Linux/Unix systems check passwords by default and complain if they considered too weak, for example based on a dictionary word. Additionally many modern system allow for additional restrictions to be placed on passwords via the PAM or later XSSO subsystem.

Genrally passwords should be longer than 8 characters and contain a mixture of upper and lower case letters, numbers & punctuation symbols. There are many schemes and tools to generate strong passwords, however if the password is too hard to remeber or changes too frequently people tend to write them down or forget them defeating the principle of easy to remember.

Password ageing used in isolation is a poor security policy and pointless unless implemented within a broader security framework.

In general a long passphrase is more secure than a short semi-random password. Whenever possible favour long passphrases over short passwords. This principle is well demonstarted by the XKCD cartoon: xkcd.com/936.

Avoid Passoword Reuse (RSU)

While it is hard to remember multiple passwords, it is not advisable to reuse passwords on multiple systems. In particular you should not reuse passwords to access public web sites, and certainly you should never share a password between a social web site and an important system such as your bank. Even using a mnemonic or pattern is not advisable.

Large data breaches from internet sites has deposited into the public domain millions of records and with modern hardware it is trivial to recover the passwords from them.

OpenSSH Login (U)

OpenSSH is standard on most modern Linux/Unix systems and is recommended by most vendors as the default method of login on and copying files between systems. Correct configuration of the SSH system allows for logins without the interative use of passwords. Key exchange login is both significantly more secure and more convenient than interactive password based login.

OpenSSH offers several security hardening options, for example limiting remote logins to only specified users (never root), limiting the rate of login requests and forcing all logins to be via key exchange only rather than passwords.

Lock The Root Account (R)

As a general rule on modern Unix and Linux systems there is no reason at all to permit interactive use of the root account. In fact several popular systems ship with root disabled by default, for example Mac OSX and Ubuntu. Most root functions can be carried out via the sudo command, which has the advantage that the user never becomes root. It is possible with the sudo command to limit which commands specific users can execute with root privileges and an audit trail of every command issued is created by default. When necessary it is still possible to become the root user using sudo.