Hardening Linux Account Security: User Locks, Password Policies, PAM & Sudo

Account Security

Disable login for a user by changing its login shell to /sbin/nologin:

useradd aa
tail -1 /etc/passwd
# aa:x:1002:1002:/home/aa:/bin/bash
chsh -s /sbin/nologin aa
# shell changed
tail -1 /etc/passwd
# aa:x:1002:1002:/home/aa:/sbin/nologin

Lock a user’s password: passwd -l username Unlock the password: passwd -u username Periodically delete unused accounts and restrict modifications to critical configuration files.

Password Policy Management

Force password changes with passwd and monitor aging via /etc/shadow. Adjust aging with /etc/login.defs or per‑user with chage. Important options: -m minimum days between changes -M maximum days password is valid -E account expiration date -i inactivity period after expiration -l list current settings

Example: set a 30‑day maximum age for user aa and verify:

chage -M 30 aa
cat /etc/shadow | tail -1
# aa:!!:19831:0:30:7:::

Force immediate password change on next login:

chage -d 0 aa

User Switching (su)

The su command switches the current session to another user:

su asdjkl
# then optionally
su root
# password prompt

PAM Configuration

Pluggable Authentication Modules (PAM) separate authentication mechanisms from services. Configuration files reside in /etc/pam.d/. Example /etc/pam.d/su:

#%PAM-1.0
auth    sufficient  pam_rootok.so
auth    substack    system-auth
auth    include     postlogin
account sufficient  pam_succeed_if.so uid = 0 use_uid quiet
account include     system-auth
password include    system-auth
session include     system-auth
session include     postlogin
session optional    pam_xauth.so

Control flags: required, requisite, sufficient, optional.

sudo Configuration

sudo

allows selected users to run commands as another user. The configuration file /etc/sudoers must have mode 0440 and should be edited with visudo to avoid syntax errors.

# visudo
# Example: allow user lisi to run only mount on /dev/sr0
root    ALL=(ALL)       ALL
lisi    ALL=            /usr/bin/mount /dev/sr0 /mnt/

After saving, the user can execute the command with sudo:

su lisi
sudo mount /dev/sr0 /mnt/

Additional fine‑grained rules can be placed in /etc/sudoers.d/.

GRUB Script Overview

GRUB menu scripts are stored in /etc/grub.d. Key scripts:

00_header – sets default GRUB parameters.

10_linux – generates entries for installed Linux kernels.

20_ppc_terminfo – configures the console terminal.

30_os_prober – detects other operating systems on the disk.

40_custom and 41_custom – user‑defined menu entries.

Brute‑Force Password Cracking with John the Ripper

Example workflow to test password strength on /etc/shadow using John the Ripper 1.8.0:

# Download and extract
cd data
# receive john-1.8.0.tar.gz (e.g., via rz)
 tar xf john-1.8.0.tar.gz
 cd john-1.8.0

# Install build tools
 yum install -y gcc gcc-c++ make

# Build
 cd src
 make clean linux-x86-64

# Prepare hash file
 cp /etc/shadow /opt/shadow.txt

# Run John
 cd ../run
 ./john /opt/shadow.txt

# Show cracked passwords
 ./john --show /opt/shadow.txt

The output demonstrates recovered passwords for weak test accounts, highlighting the need for strong, complex passwords.