Enforcing password complexity on CentOS

The pam_pwquality (previously pam_cracklib) module is used to check password complexity against a set of rules. It checks if the password is found in a dictionary; if not, it will continue with additional checks.

The config file is /etc/security/pwquality.conf but, if in use, it can be configured in /etc/pam.d/system-auth.

To add the password policies, just add the options you need in system-auth, on pam_pwquality.so line:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
  • minlen – minimum password lenght
  • lcredit – minimum number of lowercase letters
  • ucredit – minimun numer of uppercase letters
  • dcredit – minium number of digits
  • ocredit – minimum number of special characters

In this case, -1 means that the password must have at least one character of that type. You can change this number as you prefer.

If you need to enforce the policies even for the root user, use the enforce_for_root option.

You can also add policies using the authconfig command:

authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --update

Bash: bad substitution

I was working on a bash script that uploads a file via sftp and appends a suffix to the filename. The suffix, in this specific case, should have been the date in %y-%m-%d_%H%M%S format.

I’m still a newbie with bash scripting and I used this command to upload and rename the file:

put $file $remote_dest_dir/$remote_filename${date +"%y-%m-%d_%H%M%S"}

Bash complained about a “bad substitution” on that line.

Curly braces are used for different types of parameter expansion and one of the simplest involves the expansion of the value of a variable. The date command inside the braces it’s not a valid parameter or any other expansion, so the shell complains.

I guess that what I really needed was a substitution:

$(date +"%y-%m-%d_%H%M%S")

I replaced the curly braces with regular parenthesis and everything worked like a charm.

Convert ppk to OpenSSH keypairs

.ppk files are created by PuTTY to store a private key generated by the program.

To convert keypairs, first you need to install the package putty and then:

Generate the private key:

puttygen id_rsa.ppk -O private-openssh -o id_rsa

Generate the public key:

puttygen id_rsa.ppk -O public-openssh -o id_rsa.pub

Enable SFTP on Solaris 11

Once you’ve installed an OpenSSH server, you also have an SFTP server. In Solaris, you should check if the subsystem is configured properly or not.

Configuration is stored in /etc/ssh/sshd_config file:

# sftp subsystem
Subsystem       sftp    internal-sftp
PubkeyAuthentication    yes

Restart the service:

svcadm refresh svc:/network/ssh:default

Solaris basics: boot environments

Solaris 11 uses ZFS as root files system.

It all started with a product called Live Upgrade, supporting alternate boot environments (ABEs), a copy of the root file system that can be used as alternate boot devices.

With BEs it’s the same except you don’t need additional partitions. You use ZFS’s snapshots to capture a point-in-time view of the file system.

Two tools mange BEs:

  • Package Manager GUI
  • beadm utility

The beadm utility supports these subcommands:

  • activate
  • create and destroy
  • list
  • mount and unmount
  • rename
elena@solaria:~$ beadm list
BE Name          Flags Mountpoint Space   Policy Created
---------------- ----- ---------- ------- ------ ----------------
solaris          -     -          488.91M static 2019-01-08 09:47
solaris-1        NR    /          4.58G   static 2019-01-08 17:08
solaris-backup-1 -     -          137.43M static 2019-01-08 16:38

NR indicates the active BE (N) and the active BE after reboot (R).

On x86 systems, activating a new BE will update the GRUB menu:

elena@solaria:~$ bootadm list-menu
The location of the boot loader configuration files is: /rpool/boot/grub
default 2
console graphics
timeout 30
0 Oracle Solaris 11.4
1 solaris-backup-1
2 solaris-1

The ZFS file system duplicates the original data blocks and updates the duplicate with the changes.

Destroying a BE releases the metadata that reference its data blocks.

beadm utility can also create snapshots of a BE:

beadm create [name]@[name]

To list snapshots:

beadm list -s

To destroy a BE:

beadm destroy [name]

If any snapshots are associated with the BE, they’ll be removed automatically.

Managing BEs is a side task for the Package Manager.