diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml index 18240452b8..4e4b938f4f 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBP Password Policy Enforcement Enforcing a strong password policy for local accounts - is a fundamental aspect of local system security and policy. - During password enforcement, things like password length, - password strength, and the likelihood the password could be - guessed or cracked can be implemented through the system - &man.pam.8; modules. + is a fundamental aspect of system security. + In &os;, password length, + password strength, and password complexity + can be implemented using built-in Pluggable Authentication + Modules (PAM). - The PAM system, or Pluggable - Authentication Modules, will enforce the password policy by - setting a minimum and maximum password length. They will - also enforce mixed characters. In particular the - &man.pam.passwdqc.8; will be discussed. + This section demonstrates how to configure the minimum + and maximum password length and the + enforcement of mixed characters using the + pam_passwdqc.so module. This module is enforced when + a user changes their password. - To proceed, add the following line to - /etc/pam.d/passwd: + To configure this module, become the superuser and uncomment the line containing + pam_passwdqc.so in + /etc/pam.d/passwd. Then, edit that + line to match the password policy: - password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users + password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users - There is already a commented out line for this module - and it may be altered to the version above. This statement - basically sets several requirements. First, a minimal - password length is disabled, allowing for a password of any - length. Using only two character classes are disabled, - which means that all classes, including special, will be - considered valid. The next entry requires that passwords - be twelve characters in length with characters from three - classes or ten byte (or more) passwords with characters from - four character classes. This also denies passwords that - are similar to the previously used password. A user is - provided three opportunities to enter a new password and - finally only enforce this requirement on users. That is, - exempt super users. This statement is probably confusing - so reading the manual page is highly recommended, in - particular to understand what character classes are. + This example + sets several requirements for new passwords. The min + setting controls the minimum + password length. It has five values because this module + defines five different types of passwords based on their + complexity. Complexity is defined by the type of characters + that must exist in a password, such as letters, numbers, + symbols, and case. The types of passwords are described in + &man.pam.passwdqc.8;. In this example, the first three + types of passwords are disabled, meaning that passwords that + meet those complexity requirements will not be accepted, + regardless of their length. + The 12 sets a minimum password policy of + at least twelve characters, if the password also contains + characters with three types of complexity. The + 10 sets the password policy to also allow + passwords of at least ten characters, if the password + contains characters with four types of complexity. - After this change is made and the file saved, any user + The similar setting denies passwords that + are similar to the user's previous password. The + retry setting provides a user with + three opportunities to enter a new password. + + Once this file is saved, a user changing their password will see a message similar to the - following. This message might also clear up some confusion - about the configuration. + following: - &prompt.user; passwd - - Changing local password for trhodes + &prompt.user; passwd +Changing local password for trhodes Old Password: You can now choose the new password. @@ -368,32 +375,34 @@ classes. Characters that form a common pattern are discarded by the check. Alternatively, if noone else can see your terminal now, you can pick this as your password: "trait-useful&knob". -Enter new password: +Enter new password: - If a weak password is entered, it will be rejected with + If a password that does not match the policy is entered, it will be rejected with a warning and the user will have an opportunity to try - again + again, up to the configured number of retries. - In most password policies, a password aging requirement - is normally set. This means that a every password must - expire after so many days after it has been set. To set a - password age time in &os;, set the - in - /etc/login.conf. Most users when added - to the system just fall into the - default group which is where this variable could be added - and the database rebuilt using: + Most password policies require passwords to + expire after so many days. To set a + password age time in &os;, set + for the user's login class in + /etc/login.conf. The + default login class contains an example: - &prompt.root; cap_mkdb /etc/login.conf + # :passwordtime=90d:\ + + So, to set an expiry of 90 days for this login class, + remove the comment symbol (#), save the + edit, and run cap_mkdb /etc/login.conf. - To set the expiration on individual users, provide a day - count to &man.pw.8; and a username like: + To set the expiration on individual users, pass an + expiration date or the number of days to expiry + and a username to pw: - &prompt.root; pw usermod -p 30-apr-2014 -n trhodes + &prompt.root; pw usermod -p 30-apr-2015 -n trhodes As seen here, an expiration date is set in the form of - day, month, year. For more information, see - &man.pw.8; + day, month, and year. For more information, see + &man.pw.8;.