Select the version of your OS from the tabs below. If you don't know the version you are using, run the command cat /etc/os-release
or cat /etc/issue
on the board.
Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.
Torizon brings the possibility to enforce strong passwords, and that feature comes disabled by default.
During the evaluation and development phases, it's a common practice to leave it disabled to speed up the process. But, just before production, it's strongly advised to enable and configure this feature in order to enforce security.
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the system administrators to choose how applications authenticate users.
One of these modules is pam_cracklib that checks the password against dictionary words.
A newer module, pam_pwquality
is based on pam_cracklib. It is backward compatible with pam_cracklib
and provides additional features.
TorizonCore is shipped with pam_pwquality
module. The users can enable this module to have additional security for their devices. It helps users in creating new passwords that are not easy to guess e.g. by a brute force attack. See man pam_pwquality for documentation of this PAM module.
This article complies to the Typographic Conventions for the Toradex Documentation.
To enable password quality module pam_pwquality
in TorizonCore, add it to the top of the PAM stack in /etc/pam.d/common-password
like so:
password requisite pam_pwquality.so retry=3
pam_pwquality
defines a default policy in /etc/security/pwquality.conf
. Some of the rules from this policy are given below:
In addition to these rules, the user can add/change rules like below in /etc/security/pwquality.conf
:
# Minimum 1 digit
dcredit = -1
# Minimum 1 uppercase character
ucredit = -1
# Minimum 1 lowercase character
lcredit = -1
# Minimum 1 symbol(other character)
ocredit = -1
As noted earlier, strong passwords are enforced by default when pam_pwquality
is enabled. If it is desired that only a warning is shown but weak passwords are still allowed, set following options in /etc/security/pwquality.conf
:
# Do not enforce pwquality rules, just warn the user
enforcing = 0
enforce_for_root = 0
To capture the changes in these configuration files into an installation image, using TorizonCore Builder, see Capturing Configuration Changes in the Target Device. This enables the user to copy the same configuration change to several devices.
There are many tools available that help a user in creating a strong password. On Debian systems, we can install the libpwquality-tools package and use pwmake to generate a strong password. pwmake
takes one argument which is the number of bits of entropy used to generate the password. We can also use pwscore, also present in libpwquality-tools, to check the strength of a given password. pwscore
rates passwords as an integer value between 0
and 100
.
Here is how to use these tools in a Ubuntu container:
$ docker run -it --rm ubuntu
$$ apt-get update && apt-get install -y libpwquality-tools
$$ pwmake 128
V0sWAf0hIHIJDYh]ib]3kDagyNi
$$ echo "V0sWAf0hIHIJDYh]ib]3kDagyNi" | pwscore
100
Password aging is another technique to protect the users from weak passwords.
The password aging controls are defined in /etc/login.defs
. The comments in this file also explain what different options mean. Here is the relevant excerpt:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
Certificate-based authentication provides many advantages over password-based authentication. This authentication method has high cryptographic strength, unlike user-defined passwords. Because of their cryptographic nature, certificates are also invincible to dictionary attacks.
Certificates also eliminate the need to memorize a password that may be forgotten and type each time a new connection is needed. To know more about how to use SSH, please visit the following link:
For more information on this authentication method, please visit the links below: