Date: Wed, 30 Apr 2014 20:50:57 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44725 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201404302050.s3UKov1D044270@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Wed Apr 30 20:50:57 2014 New Revision: 44725 URL: http://svnweb.freebsd.org/changeset/doc/44725 Log: Editorial review of password policy section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:31:56 2014 (r44724) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 20:50:57 2014 (r44725) @@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3 <title>Password Policy Enforcement</title> <para>Enforcing a strong password policy for local accounts - is a fundamental aspect of local system security and policy. - During password enforcement, things like password length, - password strength, and the likelihood the password could be - guessed or cracked can be implemented through the system - &man.pam.8; modules.</para> - - <para>The <acronym>PAM</acronym> system, or Pluggable - Authentication Modules, will enforce the password policy by - setting a minimum and maximum password length. They will - also enforce mixed characters. In particular the - &man.pam.passwdqc.8; will be discussed.</para> - - <para>To proceed, add the following line to - <filename>/etc/pam.d/passwd</filename>:</para> - - <programlisting>password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting> - - <para>There is already a commented out line for this module - and it may be altered to the version above. This statement - basically sets several requirements. First, a minimal - password length is disabled, allowing for a password of any - length. Using only two character classes are disabled, - which means that all classes, including special, will be - considered valid. The next entry requires that passwords - be twelve characters in length with characters from three - classes or ten byte (or more) passwords with characters from - four character classes. This also denies passwords that - are similar to the previously used password. A user is - provided three opportunities to enter a new password and - finally only enforce this requirement on users. That is, - exempt super users. This statement is probably confusing - so reading the manual page is highly recommended, in - particular to understand what character classes are.</para> + is a fundamental aspect of system security. + In &os;, password length, + password strength, and password complexity + can be implemented using built-in Pluggable Authentication + Modules (<acronym>PAM</acronym>).</para> + + <para>This section demonstrates how to configure the minimum + and maximum password length and the + enforcement of mixed characters using the + <filename>pam_passwdqc.so</filename> module. This module is enforced when + a user changes their password.</para> + + <para>To configure this module, become the superuser and uncomment the line containing + <literal>pam_passwdqc.so</literal> in + <filename>/etc/pam.d/passwd</filename>. Then, edit that + line to match the password policy:</para> + + <programlisting>password requisite pam_passwdqc.so <replaceable>min=disabled,disabled,disabled,12,10 similar=deny retry=3</replaceable> enforce=users</programlisting> + + <para>This example + sets several requirements for new passwords. The <literal>min</literal> + setting controls the minimum + password length. It has five values because this module + defines five different types of passwords based on their + complexity. Complexity is defined by the type of characters + that must exist in a password, such as letters, numbers, + symbols, and case. The types of passwords are described in + &man.pam.passwdqc.8;. In this example, the first three + types of passwords are disabled, meaning that passwords that + meet those complexity requirements will not be accepted, + regardless of their length. + The <literal>12</literal> sets a minimum password policy of + at least twelve characters, if the password also contains + characters with three types of complexity. The + <literal>10</literal> sets the password policy to also allow + passwords of at least ten characters, if the password + contains characters with four types of complexity.</para> + + <para>The <literal>similar</literal> setting denies passwords that + are similar to the user's previous password. The + <literal>retry</literal> setting provides a user with + three opportunities to enter a new password.</para> - <para>After this change is made and the file saved, any user + <para>Once this file is saved, a user changing their password will see a message similar to the - following. This message might also clear up some confusion - about the configuration.</para> + following:</para> - <screen>&prompt.user; <userinput>passwd</userinput></screen> - - <programlisting>Changing local password for trhodes + <screen>&prompt.user; <userinput>passwd</userinput> +Changing local password for trhodes Old Password: You can now choose the new password. @@ -368,32 +375,34 @@ classes. Characters that form a common the check. Alternatively, if noone else can see your terminal now, you can pick this as your password: "trait-useful&knob". -Enter new password:</programlisting> +Enter new password:</screen> - <para>If a weak password is entered, it will be rejected with + <para>If a password that does not match the policy is entered, it will be rejected with a warning and the user will have an opportunity to try - again</para> - - <para>In most password policies, a password aging requirement - is normally set. This means that a every password must - expire after so many days after it has been set. To set a - password age time in &os;, set the - <option>passwordtime</option> in - <filename>/etc/login.conf</filename>. Most users when added - to the system just fall into the <option>default</option> - default group which is where this variable could be added - and the database rebuilt using:</para> - - <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> + again, up to the configured number of retries.</para> - <para>To set the expiration on individual users, provide a day - count to &man.pw.8; and a username like:</para> + <para>Most password policies require passwords to + expire after so many days. To set a + password age time in &os;, set + <option>passwordtime</option> for the user's login class in + <filename>/etc/login.conf</filename>. The + <literal>default</literal> login class contains an example:</para> + + <programlisting># :passwordtime=90d:\</programlisting> + + <para>So, to set an expiry of 90 days for this login class, + remove the comment symbol (<literal>#</literal>), save the + edit, and run <command>cap_mkdb /etc/login.conf</command>.</para> + + <para>To set the expiration on individual users, pass an + expiration date or the number of days to expiry + and a username to <command>pw</command>:</para> - <screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen> + <screen>&prompt.root; <userinput>pw usermod -p <replaceable>30-apr-2015</replaceable> -n <replaceable>trhodes</replaceable></userinput></screen> <para>As seen here, an expiration date is set in the form of - day, month, year. For more information, see - &man.pw.8;</para> + day, month, and year. For more information, see + &man.pw.8;.</para> </sect2> <sect2 xml:id="security-rkhunter">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404302050.s3UKov1D044270>