os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Editorial review of password policy section.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-30 20:50:57 +00:00
parent f58f348072
commit 53627b405d
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44725
1 changed files with 62 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3IMiM7tUEUSPmGexxta.8Lt9TGSi2lNQqYGKszsBP
<title>Password Policy Enforcement</title> <title>Password Policy Enforcement</title>
<para>Enforcing a strong password policy for local accounts <para>Enforcing a strong password policy for local accounts
is a fundamental aspect of local system security and policy. is a fundamental aspect of system security.
During password enforcement, things like password length, In &os;, password length,
password strength, and the likelihood the password could be password strength, and password complexity
guessed or cracked can be implemented through the system can be implemented using built-in Pluggable Authentication
&man.pam.8; modules.</para> Modules (<acronym>PAM</acronym>).</para>
<para>The <acronym>PAM</acronym> system, or Pluggable <para>This section demonstrates how to configure the minimum
Authentication Modules, will enforce the password policy by and maximum password length and the
setting a minimum and maximum password length. They will enforcement of mixed characters using the
also enforce mixed characters. In particular the <filename>pam_passwdqc.so</filename> module. This module is enforced when
&man.pam.passwdqc.8; will be discussed.</para> a user changes their password.</para>
<para>To proceed, add the following line to <para>To configure this module, become the superuser and uncomment the line containing
<filename>/etc/pam.d/passwd</filename>:</para> <literal>pam_passwdqc.so</literal> in
<filename>/etc/pam.d/passwd</filename>. Then, edit that
line to match the password policy:</para>
<programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting> <programlisting>password requisite pam_passwdqc.so <replaceable>min=disabled,disabled,disabled,12,10 similar=deny retry=3</replaceable> enforce=users</programlisting>
<para>There is already a commented out line for this module <para>This example
and it may be altered to the version above. This statement sets several requirements for new passwords. The <literal>min</literal>
basically sets several requirements. First, a minimal setting controls the minimum
password length is disabled, allowing for a password of any password length. It has five values because this module
length. Using only two character classes are disabled, defines five different types of passwords based on their
which means that all classes, including special, will be complexity. Complexity is defined by the type of characters
considered valid. The next entry requires that passwords that must exist in a password, such as letters, numbers,
be twelve characters in length with characters from three symbols, and case. The types of passwords are described in
classes or ten byte (or more) passwords with characters from &man.pam.passwdqc.8;. In this example, the first three
four character classes. This also denies passwords that types of passwords are disabled, meaning that passwords that
are similar to the previously used password. A user is meet those complexity requirements will not be accepted,
provided three opportunities to enter a new password and regardless of their length.
finally only enforce this requirement on users. That is, The <literal>12</literal> sets a minimum password policy of
exempt super users. This statement is probably confusing at least twelve characters, if the password also contains
so reading the manual page is highly recommended, in characters with three types of complexity. The
particular to understand what character classes are.</para> <literal>10</literal> sets the password policy to also allow
passwords of at least ten characters, if the password
contains characters with four types of complexity.</para>
<para>After this change is made and the file saved, any user <para>The <literal>similar</literal> setting denies passwords that
are similar to the user's previous password. The
<literal>retry</literal> setting provides a user with
three opportunities to enter a new password.</para>
<para>Once this file is saved, a user
changing their password will see a message similar to the changing their password will see a message similar to the
following. This message might also clear up some confusion following:</para>
about the configuration.</para>
<screen>&prompt.user; <userinput>passwd</userinput></screen> <screen>&prompt.user; <userinput>passwd</userinput>
Changing local password for trhodes
<programlisting>Changing local password for trhodes
Old Password: Old Password:
You can now choose the new password. You can now choose the new password.
@ -368,32 +375,34 @@ classes. Characters that form a common pattern are discarded by
the check. the check.
Alternatively, if noone else can see your terminal now, you can Alternatively, if noone else can see your terminal now, you can
pick this as your password: "trait-useful&amp;knob". pick this as your password: "trait-useful&amp;knob".
Enter new password:</programlisting> Enter new password:</screen>
<para>If a weak password is entered, it will be rejected with <para>If a password that does not match the policy is entered, it will be rejected with
a warning and the user will have an opportunity to try a warning and the user will have an opportunity to try
again</para> again, up to the configured number of retries.</para>
<para>In most password policies, a password aging requirement <para>Most password policies require passwords to
is normally set. This means that a every password must expire after so many days. To set a
expire after so many days after it has been set. To set a password age time in &os;, set
password age time in &os;, set the <option>passwordtime</option> for the user's login class in
<option>passwordtime</option> in <filename>/etc/login.conf</filename>. The
<filename>/etc/login.conf</filename>. Most users when added <literal>default</literal> login class contains an example:</para>
to the system just fall into the <option>default</option>
default group which is where this variable could be added
and the database rebuilt using:</para>
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> <programlisting># :passwordtime=90d:\</programlisting>
<para>To set the expiration on individual users, provide a day <para>So, to set an expiry of 90 days for this login class,
count to &man.pw.8; and a username like:</para> remove the comment symbol (<literal>#</literal>), save the
edit, and run <command>cap_mkdb /etc/login.conf</command>.</para>
<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen> <para>To set the expiration on individual users, pass an
expiration date or the number of days to expiry
and a username to <command>pw</command>:</para>
<screen>&prompt.root; <userinput>pw usermod -p <replaceable>30-apr-2015</replaceable> -n <replaceable>trhodes</replaceable></userinput></screen>
<para>As seen here, an expiration date is set in the form of <para>As seen here, an expiration date is set in the form of
day, month, year. For more information, see day, month, and year. For more information, see
&man.pw.8;</para> &man.pw.8;.</para>
</sect2> </sect2>
<sect2 xml:id="security-rkhunter"> <sect2 xml:id="security-rkhunter">