I like that you're too polite to suggest that someone who wants to list password information for a user might accidentally type "sudo passwd -l" instead of "sudo chage -l" and lock the account of the user without realizing it. As someone who would of course never make that kind of mistake I'm glad you included it in the video. 😉
Jay, As a SysAdmin for 30+ years I've found some users would keep locking out their account and calling 1st line support (avoiding me) just so they could weasel their way back into setting their 10 year old "Super strong" password back using tears, threats, chocolate bars, favours etc. I would routinely run Johntheripper against the passwords to check for myself for weak ones.
And send the password back to them in a clear text email, saying "If you change your password back to 'MySuperStrongPassword' one more time, I'll delete all your files." 😁
Password expiration horrible. It is the single greatest threat to a network. Tim didn't reset his password, he calls in to get it reset, its so common that verification standards have to be lowered. Tim gets his password reset but...... its a trick, Tim is really some guy in Nigeria who now has access to your network. Locking out an account after to many password attempts is also a great way to get your network compromised. Time outs are fine, but its better to just reduce access or to contact HR when there too many password attempt. Let HR contact the employee and or supervisor to resolve the issue.
Super useful; I didn't know passwd can do things other to than change passwords, cool Jay. Can we dwell more on shadow files please? Override set password & things like that, idk. Thanks Jay once again.
RHEL have added places where one can hardel passwords... login.conf; sustem.auth; passwd.auth; pwquality.conf Why so many? Are they all needed? Can one point to pwquality inside passwd.auth and only use that? doesn't pwquality make the others redundant?
The security community has because of bad experiences come to the conclusion that both time based password expiry and minimum password lifetimes are contraproductive™. Both result in users having insecure passwords. Just keep the hashes (salted and peppered of cause) of ALL previous passwords.
I like that you're too polite to suggest that someone who wants to list password information for a user might accidentally type "sudo passwd -l" instead of "sudo chage -l" and lock the account of the user without realizing it. As someone who would of course never make that kind of mistake I'm glad you included it in the video. 😉
Jay, As a SysAdmin for 30+ years I've found some users would keep locking out their account and calling 1st line support (avoiding me) just so they could weasel their way back into setting their 10 year old "Super strong" password back using tears, threats, chocolate bars, favours etc. I would routinely run Johntheripper against the passwords to check for myself for weak ones.
And send the password back to them in a clear text email, saying "If you change your password back to 'MySuperStrongPassword' one more time, I'll delete all your files." 😁
You’re the most useful linux channel on TH-cam. Thank you for everything you do
Buddy, you’re the most useful linux channel on TH-cam. Thanks alot to you for everything you do.😊
Setting expiration date for Neo, Trinity and Morpheus? Now we finally know who is behind Matrix, Jay...or rather Mr. Smith?!
Do a videoa bout Ldap and about a linux network environment, like access shared folders.
Password expiration horrible. It is the single greatest threat to a network. Tim didn't reset his password, he calls in to get it reset, its so common that verification standards have to be lowered. Tim gets his password reset but...... its a trick, Tim is really some guy in Nigeria who now has access to your network.
Locking out an account after to many password attempts is also a great way to get your network compromised. Time outs are fine, but its better to just reduce access or to contact HR when there too many password attempt. Let HR contact the employee and or supervisor to resolve the issue.
Super useful; I didn't know passwd can do things other to than change passwords, cool Jay.
Can we dwell more on shadow files please? Override set password & things like that, idk.
Thanks Jay once again.
That might be something to go over later in the series, thank you for the suggestion.
2021-10-01 : Jay said after October 1st, is it not on after midnight end of September ?
Could be extended with other useful operations like setting password complexity or preventing users from reusing old passwords etc.
This video is really useful to me, thank you Jay.
Thank you so much
Any chance for a video on how login.conf ; passwd.auth ; system.auth ; pwquality all fit together?
Very well presented, thank you.
Great work Thank you
Thanks for these videos!!!!!
有用,学习了
Informative
RHEL have added places where one can hardel passwords...
login.conf; sustem.auth; passwd.auth; pwquality.conf
Why so many? Are they all needed? Can one point to pwquality inside passwd.auth and only use that? doesn't pwquality make the others redundant?
Please upload to Odysee!
Odysee is not something I'm targeting at this time, but you never know, keep an eye on the website to see if there's any changes.
The security community has because of bad experiences come to the conclusion that both time based password expiry and minimum password lifetimes are contraproductive™.
Both result in users having insecure passwords. Just keep the hashes (salted and peppered of cause) of ALL previous passwords.
AWESOME
Needing password expirations on Linux? That's a world I don't live in.
Any chance for a video on how login.conf ; passwd.auth ; system.auth ; pwquality all fit together?