Editorial review of password policy section.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
f58f348072
commit
53627b405d
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44725
1 changed files with 62 additions and 53 deletions
|
|
@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBP
|
|||
<title>Password Policy Enforcement</title>
|
||||
|
||||
<para>Enforcing a strong password policy for local accounts
|
||||
is a fundamental aspect of local system security and policy.
|
||||
During password enforcement, things like password length,
|
||||
password strength, and the likelihood the password could be
|
||||
guessed or cracked can be implemented through the system
|
||||
&man.pam.8; modules.</para>
|
||||
is a fundamental aspect of system security.
|
||||
In &os;, password length,
|
||||
password strength, and password complexity
|
||||
can be implemented using built-in Pluggable Authentication
|
||||
Modules (<acronym>PAM</acronym>).</para>
|
||||
|
||||
<para>The <acronym>PAM</acronym> system, or Pluggable
|
||||
Authentication Modules, will enforce the password policy by
|
||||
setting a minimum and maximum password length. They will
|
||||
also enforce mixed characters. In particular the
|
||||
&man.pam.passwdqc.8; will be discussed.</para>
|
||||
<para>This section demonstrates how to configure the minimum
|
||||
and maximum password length and the
|
||||
enforcement of mixed characters using the
|
||||
<filename>pam_passwdqc.so</filename> module. This module is enforced when
|
||||
a user changes their password.</para>
|
||||
|
||||
<para>To proceed, add the following line to
|
||||
<filename>/etc/pam.d/passwd</filename>:</para>
|
||||
<para>To configure this module, become the superuser and uncomment the line containing
|
||||
<literal>pam_passwdqc.so</literal> in
|
||||
<filename>/etc/pam.d/passwd</filename>. Then, edit that
|
||||
line to match the password policy:</para>
|
||||
|
||||
<programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
|
||||
<programlisting>password requisite pam_passwdqc.so <replaceable>min=disabled,disabled,disabled,12,10 similar=deny retry=3</replaceable> enforce=users</programlisting>
|
||||
|
||||
<para>There is already a commented out line for this module
|
||||
and it may be altered to the version above. This statement
|
||||
basically sets several requirements. First, a minimal
|
||||
password length is disabled, allowing for a password of any
|
||||
length. Using only two character classes are disabled,
|
||||
which means that all classes, including special, will be
|
||||
considered valid. The next entry requires that passwords
|
||||
be twelve characters in length with characters from three
|
||||
classes or ten byte (or more) passwords with characters from
|
||||
four character classes. This also denies passwords that
|
||||
are similar to the previously used password. A user is
|
||||
provided three opportunities to enter a new password and
|
||||
finally only enforce this requirement on users. That is,
|
||||
exempt super users. This statement is probably confusing
|
||||
so reading the manual page is highly recommended, in
|
||||
particular to understand what character classes are.</para>
|
||||
<para>This example
|
||||
sets several requirements for new passwords. The <literal>min</literal>
|
||||
setting controls the minimum
|
||||
password length. It has five values because this module
|
||||
defines five different types of passwords based on their
|
||||
complexity. Complexity is defined by the type of characters
|
||||
that must exist in a password, such as letters, numbers,
|
||||
symbols, and case. The types of passwords are described in
|
||||
&man.pam.passwdqc.8;. In this example, the first three
|
||||
types of passwords are disabled, meaning that passwords that
|
||||
meet those complexity requirements will not be accepted,
|
||||
regardless of their length.
|
||||
The <literal>12</literal> sets a minimum password policy of
|
||||
at least twelve characters, if the password also contains
|
||||
characters with three types of complexity. The
|
||||
<literal>10</literal> sets the password policy to also allow
|
||||
passwords of at least ten characters, if the password
|
||||
contains characters with four types of complexity.</para>
|
||||
|
||||
<para>After this change is made and the file saved, any user
|
||||
<para>The <literal>similar</literal> setting denies passwords that
|
||||
are similar to the user's previous password. The
|
||||
<literal>retry</literal> setting provides a user with
|
||||
three opportunities to enter a new password.</para>
|
||||
|
||||
<para>Once this file is saved, a user
|
||||
changing their password will see a message similar to the
|
||||
following. This message might also clear up some confusion
|
||||
about the configuration.</para>
|
||||
following:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>passwd</userinput></screen>
|
||||
|
||||
<programlisting>Changing local password for trhodes
|
||||
<screen>&prompt.user; <userinput>passwd</userinput>
|
||||
Changing local password for trhodes
|
||||
Old Password:
|
||||
|
||||
You can now choose the new password.
|
||||
|
|
@ -368,32 +375,34 @@ classes. Characters that form a common pattern are discarded by
|
|||
the check.
|
||||
Alternatively, if noone else can see your terminal now, you can
|
||||
pick this as your password: "trait-useful&knob".
|
||||
Enter new password:</programlisting>
|
||||
Enter new password:</screen>
|
||||
|
||||
<para>If a weak password is entered, it will be rejected with
|
||||
<para>If a password that does not match the policy is entered, it will be rejected with
|
||||
a warning and the user will have an opportunity to try
|
||||
again</para>
|
||||
again, up to the configured number of retries.</para>
|
||||
|
||||
<para>In most password policies, a password aging requirement
|
||||
is normally set. This means that a every password must
|
||||
expire after so many days after it has been set. To set a
|
||||
password age time in &os;, set the
|
||||
<option>passwordtime</option> in
|
||||
<filename>/etc/login.conf</filename>. Most users when added
|
||||
to the system just fall into the <option>default</option>
|
||||
default group which is where this variable could be added
|
||||
and the database rebuilt using:</para>
|
||||
<para>Most password policies require passwords to
|
||||
expire after so many days. To set a
|
||||
password age time in &os;, set
|
||||
<option>passwordtime</option> for the user's login class in
|
||||
<filename>/etc/login.conf</filename>. The
|
||||
<literal>default</literal> login class contains an example:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
|
||||
<programlisting># :passwordtime=90d:\</programlisting>
|
||||
|
||||
<para>So, to set an expiry of 90 days for this login class,
|
||||
remove the comment symbol (<literal>#</literal>), save the
|
||||
edit, and run <command>cap_mkdb /etc/login.conf</command>.</para>
|
||||
|
||||
<para>To set the expiration on individual users, provide a day
|
||||
count to &man.pw.8; and a username like:</para>
|
||||
<para>To set the expiration on individual users, pass an
|
||||
expiration date or the number of days to expiry
|
||||
and a username to <command>pw</command>:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
|
||||
<screen>&prompt.root; <userinput>pw usermod -p <replaceable>30-apr-2015</replaceable> -n <replaceable>trhodes</replaceable></userinput></screen>
|
||||
|
||||
<para>As seen here, an expiration date is set in the form of
|
||||
day, month, year. For more information, see
|
||||
&man.pw.8;</para>
|
||||
day, month, and year. For more information, see
|
||||
&man.pw.8;.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="security-rkhunter">
|
||||
|
|
|
|||
Loading…
Reference in a new issue