From owner-svn-doc-head@FreeBSD.ORG Tue Feb 4 16:45:40 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 35F6D11B; Tue, 4 Feb 2014 16:45:40 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 131D11127; Tue, 4 Feb 2014 16:45:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s14GjdiJ053376; Tue, 4 Feb 2014 16:45:39 GMT (envelope-from trhodes@svn.freebsd.org) Received: (from trhodes@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s14GjdYM053375; Tue, 4 Feb 2014 16:45:39 GMT (envelope-from trhodes@svn.freebsd.org) Message-Id: <201402041645.s14GjdYM053375@svn.freebsd.org> From: Tom Rhodes Date: Tue, 4 Feb 2014 16:45:39 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43764 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 16:45:40 -0000 Author: trhodes Date: Tue Feb 4 16:45:39 2014 New Revision: 43764 URL: http://svnweb.freebsd.org/changeset/doc/43764 Log: Add a section on password policy and password policy enforcement (with pam, pw, login.conf). Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:18:13 2014 (r43763) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue Feb 4 16:45:39 2014 (r43764) @@ -305,6 +305,90 @@ the handbook. Kerberose users may need to make additional changes to implement OpenSSH in their network. + + + Password Policy and Enforcement + + Enforcing a strong password policy for local accounts + is a fundamental aspect of local system security and policy. + During password enforcement, things like password length, + password strength, and the likelihood the password could be + guessed or cracked can be implemented through the system + &man.pam.8; modules. + + The PAM system, or Pluggable + Authentication Modules, will enforce the password policy by + setting a minimum and maximum password length. They will + also enforce mixed characters. In particular the + &man.pam.passwdqc.8; will be discussed. + + To proceed, open the + /etc/pam.d/passwd file and add the + following line to the file. + + password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users + + There is already a commented out line for this module and + it may be altered to the version above. This statement + basically sets several requirements. First, a minimal + password length is disabled, allowing for a password of any + length. Using only two character classes are disabled, + which means that all classes, including special, will be + considered valid. The next entry requires that passwords + be twelve characters in length with characters from three + classes or ten byte (or more) passwords with characters from + four character classes. This also denies passwords that + are similar to the previously used password. A user is + provided three opportunities to enter a new password and + finally only enforce this requirement on users. That is, + exempt super users. This statement is probably confusing + so reading the manual page is highly recommended, in + particular to understand what character classes are. + + After this change is made and the file saved, any user + changing their password will see a message similar to the + following. This message might also clear up some confusion + about the configuration. + + &prompt.user; passwd + + Changing local password for trhodes +Old Password: + +You can now choose the new password. +A valid password should be a mix of upper and lower case letters, +digits and other characters. You can use a 12 character long +password with characters from at least 3 of these 4 classes, or +a 10 character long password containing characters from all the +classes. Characters that form a common pattern are discarded by +the check. +Alternatively, if noone else can see your terminal now, you can +pick this as your password: "trait-useful&knob". +Enter new password: + + If a weak password is entered, it will be rejected with + a warning and the user will have an opportunity to try + again + + In most password policies, a password aging requirement + is normally set. This means that a every password must expire + after so many days after it has been set. To set a password + age time in &os;, set the in + /etc/login.conf. Most users when added + to the system just fall into the + default group which is where this variable could be added and + the database rebuilt using: + + &prompt.root; cap_mkdb /etc/login.conf + + To set the expiration on individual users, provide a day + count to &man.pw.8; and a username like: + + &prompt.root; pw usermod -p 30-apr-2014 -n trhodes + + As seen here, an expiration date is set in the form of day, + month, year. For more information, see &man.pw.8; +