Date: Thu, 18 Jan 2024 14:13:00 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 276422] pam_passwdqc(8) - add more examples Message-ID: <bug-276422-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276422 Bug ID: 276422 Summary: pam_passwdqc(8) - add more examples Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: zarychtam@plan-b.pwste.edu.pl A few years ago I created D27656[1]. It did not gain much interest, but it's still relevant. Yesterday I looked at the Security chapter of the FreeBSD Handbook and found no consistent example of enforcing password policies[2]. Where is the problem? When the user's password expires, the password change will be enforced immediately upon logging in and the policy enforcement set= in /etc/pam.d/passwd will not be applied. In case of an expired password, pass= word policy enforcement will only work if set in the appropriate pam.d config fi= le corresponding to the authentication method (usually /etc/pam.d/sshd or /etc/pam.d/login). Moreover, in the case of an expired password, the passwo= rd change will be done under uid 0, so only enforce=3Deveryone makes sense.=20 Maybe we can fix it by extending examples, but probably the right way will = be to change PAM modules internally to better handle changing expired password= s. To reproduce:=20 - Configure system following[2]=20 - Set: "pw user mod exampleuser -p 31-Dec-2023" - Login via console or ssh to the system as exampleuser and set password to empty (just press enter twice). Over 3 years ago I found it as a foot-shooting issue and spent a few hours figuring out how was it possible that some users have set empty passwords, = but I think that more people enforcing password policies might be affected.=20 1. https://reviews.freebsd.org/D27656 2. https://docs.freebsd.org/en/books/handbook/security/#security-pwpolicy --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276422-227>