Date: Tue, 4 Feb 2014 16:45:39 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43764 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201402041645.s14GjdYM053375@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Tue Feb 4 16:45:39 2014 New Revision: 43764 URL: http://svnweb.freebsd.org/changeset/doc/43764 Log: Add a section on password policy and password policy enforcement (with pam, pw, login.conf). Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:18:13 2014 (r43763) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:45:39 2014 (r43764) @@ -305,6 +305,90 @@ the handbook. Kerberose users may need to make additional changes to implement <application>OpenSSH</application> in their network.</para> + + <sect3 xml:id="security-pwpolicy"> + <title>Password Policy and Enforcement</title> + + <para>Enforcing a strong password policy for local accounts + is a fundamental aspect of local system security and policy. + During password enforcement, things like password length, + password strength, and the likelihood the password could be + guessed or cracked can be implemented through the system + &man.pam.8; modules.</para> + + <para>The <acronym>PAM</acronym> system, or Pluggable + Authentication Modules, will enforce the password policy by + setting a minimum and maximum password length. They will + also enforce mixed characters. In particular the + &man.pam.passwdqc.8; will be discussed.</para> + + <para>To proceed, open the + <filename>/etc/pam.d/passwd</filename> file and add the + following line to the file.</para> + + <programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting> + + <para>There is already a commented out line for this module and + it may be altered to the version above. This statement + basically sets several requirements. First, a minimal + password length is disabled, allowing for a password of any + length. Using only two character classes are disabled, + which means that all classes, including special, will be + considered valid. The next entry requires that passwords + be twelve characters in length with characters from three + classes or ten byte (or more) passwords with characters from + four character classes. This also denies passwords that + are similar to the previously used password. A user is + provided three opportunities to enter a new password and + finally only enforce this requirement on users. That is, + exempt super users. This statement is probably confusing + so reading the manual page is highly recommended, in + particular to understand what character classes are.</para> + + <para>After this change is made and the file saved, any user + changing their password will see a message similar to the + following. This message might also clear up some confusion + about the configuration.</para> + + <screen>&prompt.user; <userinput>passwd</userinput></screen> + + <programlisting>Changing local password for trhodes +Old Password: + +You can now choose the new password. +A valid password should be a mix of upper and lower case letters, +digits and other characters. You can use a 12 character long +password with characters from at least 3 of these 4 classes, or +a 10 character long password containing characters from all the +classes. Characters that form a common pattern are discarded by +the check. +Alternatively, if noone else can see your terminal now, you can +pick this as your password: "trait-useful&knob". +Enter new password:</programlisting> + + <para>If a weak password is entered, it will be rejected with + a warning and the user will have an opportunity to try + again</para> + + <para>In most password policies, a password aging requirement + is normally set. This means that a every password must expire + after so many days after it has been set. To set a password + age time in &os;, set the <option>passwordtime</option> in + <filename>/etc/login.conf</filename>. Most users when added + to the system just fall into the <option>default</option> + default group which is where this variable could be added and + the database rebuilt using:</para> + + <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> + + <para>To set the expiration on individual users, provide a day + count to &man.pw.8; and a username like:</para> + + <screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen> + + <para>As seen here, an expiration date is set in the form of day, + month, year. For more information, see &man.pw.8;</para> + </sect3> </sect2> <sect2 xml:id="security-rkhunter">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201402041645.s14GjdYM053375>