From owner-svn-doc-all@FreeBSD.ORG Wed Apr 30 20:50:57 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2D2D525; Wed, 30 Apr 2014 20:50:57 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B402B153B; Wed, 30 Apr 2014 20:50:57 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3UKovnn044271; Wed, 30 Apr 2014 20:50:57 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3UKov1D044270; Wed, 30 Apr 2014 20:50:57 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404302050.s3UKov1D044270@svn.freebsd.org> From: Dru Lavigne Date: Wed, 30 Apr 2014 20:50:57 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44725 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 20:50:57 -0000 Author: dru Date: Wed Apr 30 20:50:57 2014 New Revision: 44725 URL: http://svnweb.freebsd.org/changeset/doc/44725 Log: Editorial review of password policy section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 19:31:56 2014 (r44724) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 30 20:50:57 2014 (r44725) @@ -315,48 +315,55 @@ dru:$6$pzIjSvCAn.PBYQBA$PXpSeWPx3g5kscj3 Password Policy Enforcement Enforcing a strong password policy for local accounts - is a fundamental aspect of local system security and policy. - During password enforcement, things like password length, - password strength, and the likelihood the password could be - guessed or cracked can be implemented through the system - &man.pam.8; modules. - - The PAM system, or Pluggable - Authentication Modules, will enforce the password policy by - setting a minimum and maximum password length. They will - also enforce mixed characters. In particular the - &man.pam.passwdqc.8; will be discussed. - - To proceed, add the following line to - /etc/pam.d/passwd: - - password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users - - There is already a commented out line for this module - and it may be altered to the version above. This statement - basically sets several requirements. First, a minimal - password length is disabled, allowing for a password of any - length. Using only two character classes are disabled, - which means that all classes, including special, will be - considered valid. The next entry requires that passwords - be twelve characters in length with characters from three - classes or ten byte (or more) passwords with characters from - four character classes. This also denies passwords that - are similar to the previously used password. A user is - provided three opportunities to enter a new password and - finally only enforce this requirement on users. That is, - exempt super users. This statement is probably confusing - so reading the manual page is highly recommended, in - particular to understand what character classes are. + is a fundamental aspect of system security. + In &os;, password length, + password strength, and password complexity + can be implemented using built-in Pluggable Authentication + Modules (PAM). + + This section demonstrates how to configure the minimum + and maximum password length and the + enforcement of mixed characters using the + pam_passwdqc.so module. This module is enforced when + a user changes their password. + + To configure this module, become the superuser and uncomment the line containing + pam_passwdqc.so in + /etc/pam.d/passwd. Then, edit that + line to match the password policy: + + password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users + + This example + sets several requirements for new passwords. The min + setting controls the minimum + password length. It has five values because this module + defines five different types of passwords based on their + complexity. Complexity is defined by the type of characters + that must exist in a password, such as letters, numbers, + symbols, and case. The types of passwords are described in + &man.pam.passwdqc.8;. In this example, the first three + types of passwords are disabled, meaning that passwords that + meet those complexity requirements will not be accepted, + regardless of their length. + The 12 sets a minimum password policy of + at least twelve characters, if the password also contains + characters with three types of complexity. The + 10 sets the password policy to also allow + passwords of at least ten characters, if the password + contains characters with four types of complexity. + + The similar setting denies passwords that + are similar to the user's previous password. The + retry setting provides a user with + three opportunities to enter a new password. - After this change is made and the file saved, any user + Once this file is saved, a user changing their password will see a message similar to the - following. This message might also clear up some confusion - about the configuration. + following: - &prompt.user; passwd - - Changing local password for trhodes + &prompt.user; passwd +Changing local password for trhodes Old Password: You can now choose the new password. @@ -368,32 +375,34 @@ classes. Characters that form a common the check. Alternatively, if noone else can see your terminal now, you can pick this as your password: "trait-useful&knob". -Enter new password: +Enter new password: - If a weak password is entered, it will be rejected with + If a password that does not match the policy is entered, it will be rejected with a warning and the user will have an opportunity to try - again - - In most password policies, a password aging requirement - is normally set. This means that a every password must - expire after so many days after it has been set. To set a - password age time in &os;, set the - in - /etc/login.conf. Most users when added - to the system just fall into the - default group which is where this variable could be added - and the database rebuilt using: - - &prompt.root; cap_mkdb /etc/login.conf + again, up to the configured number of retries. - To set the expiration on individual users, provide a day - count to &man.pw.8; and a username like: + Most password policies require passwords to + expire after so many days. To set a + password age time in &os;, set + for the user's login class in + /etc/login.conf. The + default login class contains an example: + + # :passwordtime=90d:\ + + So, to set an expiry of 90 days for this login class, + remove the comment symbol (#), save the + edit, and run cap_mkdb /etc/login.conf. + + To set the expiration on individual users, pass an + expiration date or the number of days to expiry + and a username to pw: - &prompt.root; pw usermod -p 30-apr-2014 -n trhodes + &prompt.root; pw usermod -p 30-apr-2015 -n trhodes As seen here, an expiration date is set in the form of - day, month, year. For more information, see - &man.pw.8; + day, month, and year. For more information, see + &man.pw.8;.