topic Re: Paranoid security, bypass resetting password expiry in Secure OS Software for Linux

Paranoid security, bypass resetting password expiry

Raynald Boucher — Wed, 03 Sep 2003 14:34:29 GMT

Hello again,

"msec", I assume, is again giving me grief.
We are running Mandrake 9 with paranoid security (level 5).
The passwprd expiry period gets reset to default (30 days) even after I have extended it for selected users.

This is really annoying as some users may not log on for extended periods and therefore never get the warning and become unable to log on (me included).

Does anyone know how to overide this feature?

Thanks

Re: Paranoid security, bypass resetting password expiry

Steven E. Protter — Wed, 03 Sep 2003 14:41:41 GMT

The real answer is to get rid of paranoid security and become active in setting security yourself. Its harder, but the process will improve your skills and allow you to avoid circumstances like this.

You might find using Bastille gives you better control.

With regards to this issue, it may take another password cycle for your change to kick in.

If the password life cycle is 30 days and you extend it, it probably requires a passwd command against that user.

The GUI interface that comes with Mandrake should do that for you.

In the end, there is a price for security, you have to balance that against your sanity.

SEP

Re: Paranoid security, bypass resetting password expiry

Raynald Boucher — Wed, 03 Sep 2003 15:49:53 GMT

Thanks Steve

I'm told we are using this security scheme for this application due to the sensitivity of the information and to use a mixture of security setups so that if one is breached, the others will remain unknown...

Anyway, I found a reference to "no_password_aging_for(name)" in the msec directories. This tells me there is a bypass process and that it's probly driven by a control file.

I'm looking for which one, and the format of the control entry. The source is there but I don't know how to interpret Python code.

Take care.

Re: Paranoid security, bypass resetting password expiry

Huc_1 — Thu, 04 Sep 2003 07:53:05 GMT

Hello

I dont use msec, I did a search from google and ended up in mandrake, there I found the following

I am passing it on perhaps, this could proof usefull !?

http://www.google.com/search?hl=en&lr=lang_en&ie=ISO-8859-1&oe=ISO-8859-1&q=no_password_aging_for&btnG=Google+Search&lr=lang_en

Jean-Pierre

Re: Paranoid security, bypass resetting password expiry

Huc_1 — Thu, 04 Sep 2003 11:47:20 GMT

Hi me , again ! ... I had a bite of time to read the links ....I mention here above !

In one of them I found

<<<<<<<<<<<<<<<<< cut from link" >>>>>>>>>>>>>>>

no_password_aging_for('toto') in level.local ineffective

* From: [bret]
* Subject: [Cooker] [Bug 1629] [msec] msec no_password_aging_for('toto') in level.local ineffective
* Date: Mon, 28 Jul 2003 07:06:33 -0700

http://qa.mandrakesoft.com/show_bug.cgi?id=1629

------- Additional Comments From [EMAIL PROTECTED] 2003-28-07 17:37 -------
One thing to keep in mind with password aging is if you disabled the password
aging after you set up the user, the shadow file will still have the setting
in it.

To disable the aging after you setup your level.local run this command:
"chage -M 99999 'username'".

That should fix your aging and it will not be re-enabled again by msec.

Now I have now idea if msec should do this if you add the entries above to
your level.local or not.

Bret.

<<<<<<<<<<<<<<<<<< end_of_cut >>>>>>>>>>>>>>>>

I had a look at this tool ... not bad, But I am more inclined to checking/reading lock and using standart iptables, bastille, find it is the best way for me to know what's going on , Having said' this I am lucky to be able to decide this myself.

Hope this will help you with this problem.

Jean-Pierre or J-P (shorter version).