Cooking with Linux - Security's Front Door

 in
Words, words, words...whether spoken by a fool or a genius, they are still the first line of defense in system security.

What is this I see on our specials chalkboard, François? Mxyztplk? That is the root password for our main server! Mon Dieu! What do I see here? Those are all our administrative passwords! Why would you post secret information where everyone can see it? Quoi? So you would not forget? But François, neither will anyone else. I see you have posted your own login passwords as well. Please, erase those immediately and wash the chalkboard when you are done. Merci. Now, just to be safe, we will need to generate a whole new set of passwords for all our systems. What were you thinking, mon ami? Of course, I see. We'll discuss this later. Our guests are arriving now. Prepare yourself, François.

Welcome, everyone! How wonderful to see you here at Chez Marcel, home of superb Linux and open-source software and, of course, wine served from one of the world's finest wine cellars. Speaking of wine...François, please head down to the wine cellar, over in the East wing, and bring back the 2005 Sonoma County Kokomo Zinfandel. Vite!

Ah, mes amis, you missed a rare opportunity to see all of Chez Marcel's security, exposed on our Specials du Jour board. Nevertheless, it does provide an excellent backdrop to our menu this evening, as all the items relate to password security. Passwords, mes amis, are still your first line of defense when it comes to computers. Biometric systems, like fingerprint readers, can make secure access more daunting and difficult to breach, but most systems, including countless Web sites, require a user name and password for access, and that's not changing anytime soon. In the end, it usually comes back to passwords, and passwords mean people need to remember them. And, that's where the problem starts.

I've been in offices where people will tell you (if you insist) that everyone pretty much knows everybody else's passwords—just in case. I've seen yellow sticky notes stuck to computer screens with passwords written down so the users don't forget. Even when that information is out of sight, people use simple passwords, like the word “password”, because they're easy to remember.

One way to get secure passwords that aren't your pet's name or your spouse's birthday is to pick a phrase that means something to you, and then play with it. For example, take the phrase “Believe in magic!” Now, take only the consonants of the first and last word, and you have blvmgc. Add an I at the beginning, but make that I a numeric 1 instead. Add an asterisk for the final character, and you have 1blvmgc*—a great password if ever there was one.

Another, more secure way (particularly if you need many passwords), is to enlist the help of a random password generator. One such program is Pierre “khorben” Prochery's makepasswd program (inspired by Rob Levin's Perl script of the same name). Pierre's makepasswd program uses your computer's random number generator to create passwords of varying constraints. It also can generate encrypted passwords. You can get a single, random password by typing makepasswd at a shell prompt. The program also accepts different parameters on the command line, as shown here:

$ makepasswd --chars 8 --count=4
0dAU8BXM
suQt4CF2
5x0yGJ1S
6KTInj58

So, what happened? The --chars 8 parameter tells the program to use exactly eight characters in the resulting password. You also can specify --minchars and --maxchars to get different password lengths. The --count=4 parameter tells the program to generate four passwords. The default is to provide only one password. Type makepasswd --help for a full list of parameters.

Shell users know this well, but those who take the time to learn the ins and outs of their Linux systems learn this too; many graphical programs are front ends to one or more text- or shell-based commands. The same is true for the next item on our menu, KriptPass, which wraps the makepasswd program in a nice, graphical interface. KriptPass is a Kommander script available from Kriptopolis.org. Kommander is a combination program editor and executor that can be used to create any number of graphical applications using the KDE framework. I mention Kommander, because you need it to use KriptPass. So, installing Kommander is the first step. Because it's a KDE application, check your system to see whether you already have Kommander installed. If you don't, check your distribution's repositories and install it. Because KriptPass is based on makepasswd, you need that as well.

Assuming you have Kommander installed, installing and running KriptPass is as simple as downloading it from www.kde-apps.org/content/show.php/KriptPass?content=58800. Extract the script wherever you like, open up Konqueror and simply click on the kriptpass.kmdr file. That's all there's to it (if you like, you can add a shortcut icon on your desktop for future use). The KriptPass window appears (Figure 1), and you'll see three tabs labeled Passwords, Wireless Keys and About.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix