Add a section on password policy and password policy
enforcement (with pam, pw, login.conf).
This commit is contained in:
Tom Rhodes
parent
722cb2bdd1
commit
f7aebf5b02
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=43764
1 changed files with 84 additions and 0 deletions
|
|
@ -305,6 +305,90 @@
|
|||
the handbook. Kerberose users may need to make additional
|
||||
changes to implement <application>OpenSSH</application> in
|
||||
their network.</para>
|
||||
|
||||
<sect3 xml:id="security-pwpolicy">
|
||||
<title>Password Policy and Enforcement</title>
|
||||
|
||||
<para>Enforcing a strong password policy for local accounts
|
||||
is a fundamental aspect of local system security and policy.
|
||||
During password enforcement, things like password length,
|
||||
password strength, and the likelihood the password could be
|
||||
guessed or cracked can be implemented through the system
|
||||
&man.pam.8; modules.</para>
|
||||
|
||||
<para>The <acronym>PAM</acronym> system, or Pluggable
|
||||
Authentication Modules, will enforce the password policy by
|
||||
setting a minimum and maximum password length. They will
|
||||
also enforce mixed characters. In particular the
|
||||
&man.pam.passwdqc.8; will be discussed.</para>
|
||||
|
||||
<para>To proceed, open the
|
||||
<filename>/etc/pam.d/passwd</filename> file and add the
|
||||
following line to the file.</para>
|
||||
|
||||
<programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
|
||||
|
||||
<para>There is already a commented out line for this module and
|
||||
it may be altered to the version above. This statement
|
||||
basically sets several requirements. First, a minimal
|
||||
password length is disabled, allowing for a password of any
|
||||
length. Using only two character classes are disabled,
|
||||
which means that all classes, including special, will be
|
||||
considered valid. The next entry requires that passwords
|
||||
be twelve characters in length with characters from three
|
||||
classes or ten byte (or more) passwords with characters from
|
||||
four character classes. This also denies passwords that
|
||||
are similar to the previously used password. A user is
|
||||
provided three opportunities to enter a new password and
|
||||
finally only enforce this requirement on users. That is,
|
||||
exempt super users. This statement is probably confusing
|
||||
so reading the manual page is highly recommended, in
|
||||
particular to understand what character classes are.</para>
|
||||
|
||||
<para>After this change is made and the file saved, any user
|
||||
changing their password will see a message similar to the
|
||||
following. This message might also clear up some confusion
|
||||
about the configuration.</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>passwd</userinput></screen>
|
||||
|
||||
<programlisting>Changing local password for trhodes
|
||||
Old Password:
|
||||
|
||||
You can now choose the new password.
|
||||
A valid password should be a mix of upper and lower case letters,
|
||||
digits and other characters. You can use a 12 character long
|
||||
password with characters from at least 3 of these 4 classes, or
|
||||
a 10 character long password containing characters from all the
|
||||
classes. Characters that form a common pattern are discarded by
|
||||
the check.
|
||||
Alternatively, if noone else can see your terminal now, you can
|
||||
pick this as your password: "trait-useful&knob".
|
||||
Enter new password:</programlisting>
|
||||
|
||||
<para>If a weak password is entered, it will be rejected with
|
||||
a warning and the user will have an opportunity to try
|
||||
again</para>
|
||||
|
||||
<para>In most password policies, a password aging requirement
|
||||
is normally set. This means that a every password must expire
|
||||
after so many days after it has been set. To set a password
|
||||
age time in &os;, set the <option>passwordtime</option> in
|
||||
<filename>/etc/login.conf</filename>. Most users when added
|
||||
to the system just fall into the <option>default</option>
|
||||
default group which is where this variable could be added and
|
||||
the database rebuilt using:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
|
||||
|
||||
<para>To set the expiration on individual users, provide a day
|
||||
count to &man.pw.8; and a username like:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
|
||||
|
||||
<para>As seen here, an expiration date is set in the form of day,
|
||||
month, year. For more information, see &man.pw.8;</para>
|
||||
</sect3>
|
||||
</sect2>
|
||||
|
||||
<sect2 xml:id="security-rkhunter">
|
||||
|
|
|
|||
Loading…
Reference in a new issue